ALE GPG Key Signing Party & Solstice Season Social

A combined ALE NW (SPSU) & ALE Central (Emory) Event

7:30pm on Thursday, December 8, 2011  


Where:

Southern Polytechnic State University
Room J110
of the Atrium (J) building

( For a campus map and a link to directions please see
<http://www.spsu.edu/visitspsu/campusmaps/index.htm>
Parking in non reserved spaces in the P60 deck is best.
building J, the Atrium building, is a short distance east
of the parking deck.)

When:

Thursday, December 8th, 2011:

7:30pm to 8:00pm  (prompt) --> Brief Introduction to GPG
8:00pm to 9:30pm  (prompt) --> Key Signing Party

We will start the key-signing process promptly at 8:00pm.
If you wish to participate you should prepare in advance
and arrive on time.

Synopsis:

Our December ALE NW Meeting and ALE Central meetings are being
combined as PGP/GPG Keysigning Party followed by an ALE Solstice
Season Social at a nearby eatery.

For those unfamiliar with PGP or interested in learning more about the
GnuPG implentation of PGP cryptography and the value of protecting
your privacy and your identity with PGP signatures, we suggest you
review David Tomaschik's March 2011 presesntation on the topic.
Video of this presentation is available for download or streaming under
the file name "ale-20110317-gpg-tomaschik.mp4" at these URL’s:
  <http://arxion.net/ale/>
  <http://patshead.com/ale/>
  <http://jimkinney.us/downloads/>
An ALE member has also posted a torrent at Amazon S3:
  <https://s3.amazonaws.com/datalore/ale-20110317-gpg-tomaschik.mp4?torrent>
The video file is ~443MB as h.264 encode in an mp4 wrapper.

For those who wishing to participate, the key signing party serves to
confirm the identity of other PGP Key users by connecting them to a
"key ring" and including them in the "web of trust" needed to validate
their keys and identitiies.

Internationally recognized I.T. cryptography and security expert
Michael Warfield will present the GPG PGP introduction and
host the key signing party.

What YOU need as a participant in the
ALE Key Signing party:

Required Items for Parcipation:
  1. Physical presence at the event with...
  2. Positive picture ID & second supporting form of ID
    (name must align with that used for the public key)
  3. Your PRE generated and PRE submitted Key Info:
    Key ID, Key Size, Key Type & HEX fingerprint
    in hard copy paper form.
  4. A pen or pencil or whatever you'd like to write with.
  5. NO computer  (to maintain privacy & security)

Required Process:
  1. Generate a key (or use an existing one).  Remember your pass phrase!
    ---
    To help with this, Charles Shapiro has prepared an excellent GPG Howto page
    with step by step command line directions for using the gpg (gpg2) program to
    generate, store, sign, register and use GPG keys. 
    ---
    *RSA/RSA Key pairs of 2048 bits or more are recommended for new keys.
    This is currently the default for the most recent releases of GnuPG and GnuPG2
    (gpg/gpg2), which are available for download and installation on most platforms
    via  gnupg.org  (for Mac OSeX see  sourceforge  )
    ---
    Other general information about GPG keys and instructions for key generation
    and participating in a signing party can found at the  Keysigning Party Howto  
    page, though some of the described party procedures and processes have been
    slightly modified to suit our ALE event.  General GPG FAQ links are also
    included below.
    ---
  2. Perform an EXPORT of your key...
    ( ie: $ gpg --armor --export {your keyid} > public.key.tmp )
    and add it to our keyring here:
    <http://biglumber.com/x/web?keyring=4254>
    You will see a text listing of our complete keyring with the key ids,
    the owner uids and the key fingerprints.   Just paste your public key
    into the text window or browse to a file of it and then hit "submit query"
    (yeah, I know it's kinda weird and confusing and it confused me the
    first time too).  Your key will be added and you will see a complete
    listing of the current keys on this keyring after you go back and hit
    "refresh".
    ---
    Participants are strongly encouraged to
    add their keys to the 
    ring by midnight (EST) on Wednesday, December 7th in order
    to expedite the key signing process.
    ---
  3. Printout copies of the keyring list of Key info (User ID, Type, Size
    and Fingerprint) will be distributed at the meeting.  Participants will mark
    their sheets as individual ID's and Key Fingerprints are confirmed.
    ---
  4. Participants attend the party and bring along a paper copy of their Key info.
    You must also bring along a suitable form of photo ID and a secondary supporting
    form of ID.  Participants will make two marks on their copy of the key ring listing,
    one for confirmation of correct Key Info (User ID, Type, Size, & Fingerprint)
    and one for confirmation of the personal photo ID.
    ---
  5. At the meeting each key owner reads his Key info (User ID, Type, Size, &
    Fingerprint) from their own paper hard copy (NOT from the distributed listing!).
    This is because there could be an error, intended or not, on the listing. This is also
    the time to tell which ID's to sign or not. If the key information matches a
    participant's distributed Key list,  they place a check-mark by that Key information.
    ---
  6. After all participants have read their key ID information, they form a line, ideally
    in the order that the keys are listed on the sheet.  The first person walks down the
    line having every person check his ID.  The second person follows immediately
    behind the first person and so on.
    If you are satisfied that the person is who they say they are, and that the Key
    User ID on the printout is theirs, you place another check-mark next to their
    Key information on your printout.
    ---
  7. Once the first person cycles back around to the front of the line, they will have
    checked all the other IDs and their ID will have been checked by all others.
    ---
  8. After everyone has identified themselves, the formal part of the meeting is over.
    If everyone is registered and punctual the formal part of the evening should take
    less than an hour.
    ---
  9. After attending the party and confirming the key and ID information on your
    copy of the list of participants, each participant is expeceted to independently
    return to <http://biglumber.com/x/web?keyring=4254> and click on "Download
    this keyring", then copy and paste it to a file or run the following command:
     $ curl "http://biglumber.com/x/web?keyring=4254;download=1" > keyring.txt
    (don't forget the quotes around the URL -- note the semicolon)

    Import the keyring to your keyring with:
     $ gpg[2] --import keyring.txt

    Now proceed to sign the keys you've verified, one at a time, with:
     $ gpg[2] --sign-key [keyid to be signed]
    ---
  10. Export the keys you've signed to a keyring file.
     $ gpg[2] --armor --export [list of signed keyids] > keyring.txt

    Now return to the BigLumber site and upload the signed keys by clicking
    on "Browse" at the bottom, browsing to the keyring file of the signed
    key, selecting that, and finally hitting "Submit Query".  This may take
    some time to upload the keyring but it should then merge the new
    signatures from that upload into our keyring on BigLumber.  As of
    November 29, the keyring stood at 15 keys and over 330K long so this
    process may take a minute or two depending on speeds and the size of the
    final keyring.

    You can also send the keys directly to the global public keyservers with
    this command:
     $ gpg[2] --send-keys [list of signed keyids]

    Let us know when you've done this either by sending the organizers a
    message or posting it to the ALE list so others know there are updates
    up there.  I'll also make a posting to the ALE list when everyone has
    checked in that they have completed signing.
    ---
  11. When all the signatures have been collected (will be announced on the
    ALE list) you can return to the BigLumber site to repeat the download
    and import keyring steps as in step 9.  This will then import all the
    signatures everyone else has made to your own keys (as well as those
    made to the other keys).

    Alternatively, if you only want to import the signatures for your key(s)
    the full keyring will be pushed up to the public keyservers at that time and
    you can update your individual key(s) at any time with this command:
     $ gpg[2] --recv-keys [list of your key ids]
    ---
  12. Use your keys when appropriate and as often as possible.
       

Why shouldn't I bring a computer?

There are a variety of reasons, why you don't want to do this. The short answer is it would
be insecure, unsafe, and of no benefit.  For those not convinced, here are some reasons why
t is insecure, unsafe, and of no benefit.

Other questions about signing keys?

You may want to read the Keysigning Party Howto which includes an
explanation of the concepts behind keysigning, instructions for hosting
a keysigning party, instructions for participating in a keysinging party,
and step by step instructions for signing other's keys.

If you're looking for quick answers you may want to look to the
questions and answers below, which all come from the PGP FAQ.
It also has a lot of other good information.

Other useful PGP links

A few more links for PGP newbies, or those who wish to re acquaint themselves.

What if I still have a question?

If, after reading the resources provided above, you need help with other questions,
you can (sign up for and) post your inquiries to the many informed IT professionals
of the ALE@ALE.ORG mailing list.   Please include "GPG", "PGP" or "Key
Signing Party" in the Subject line.