ALE GPG Key Signing Party & Solstice Season Social

A combined ALE NW (SPSU) & ALE Central (Emory) Event

7:30pm on Thursday, December 13, 2012  


Where:

Southern Polytechnic State University
Room J266 of the Atrium (J) building

( For a campus map and a link to directions please see
<http://www.spsu.edu/visitspsu/campusmaps/index.htm>
Parking in non reserved spaces in the P60 deck is best.
building J, the Atrium building, is a short distance east
of the parking deck.)

When:

Thursday, December 13th, 2012:

7:30pm to 8:00pm  (prompt) --> Brief Introduction to GPG
8:00pm to ~9:15pm  (prompt) --> Key Signing Party
9:30pm to ~11:00pm --> Solstice Season Socializing

We will start the key-signing process promptly at 8:00pm.
If you wish to participate you should prepare keys and
upload them to the keying in advance, then arrive on time.

Synopsis:

-- For those who participate, the key signing party serves to confirm
the identity of other PGP Key users by connecting them to a "key ring"
and including them in the "web of trust" needed to validate their keys,
signatures and identities in the wider world.
-- Internationally recognized I.T. cryptography and security expert
Michael Warfield will present a brief GPG/PGP introduction with our
ardent GPG enthusiast, keymaster Jeremy "Dozer" Bouse, directing
the key signing process.

-- Participation in the key signing requires advanced preparations,
including generating and verifying any new keys you want to have
signed and then registering ALL keys you want to be signed with
the official event Keyring that is set up on the Biglumber Key server:
<http://biglumber.com/x/web?keyring=2952>
-- Detailed instructions, including "How To" info with shell command
line examples and background information on the process can be
found at these links:
<http://ale.org//static_pages/gpgstepbystep-111208.html>
-- The final step on the day of the signing party will be to download and
print out Jeremy's final key ring text file (which will NOT be labeled "DRAFT")
from <http://undergrid.net/ale12/ksp-ale12.txt> and then fill in the checksum
information for all of the keys you have placed in the ring to confirm their
authenticity.

What YOU need as a participant in the
ALE Key Signing party:

Required Items for Parcipation:
  1. Physical presence at the event with...
  2. Positive picture ID & second supporting form of ID
    (name must align with that used for the public key)
  3. Your PRE generated and PRE submitted Key Info:
    Key ID, Key Size, Key Type & HEX fingerprint
    in hard copy paper form.
  4. A pen or pencil or whatever you'd like to write with.
  5. NO computer  (to maintain privacy & security)

Required Process:
  1. Generate a key (or use an existing one).  Remember your pass phrase!
    ---
    To help with this, Charles Shapiro has prepared an excellent GPG Howto page
    with step by step command line directions for using the gpg (gpg2) program to
    generate, store, sign, register and use GPG keys. 
    ---
    *RSA/RSA Key pairs of 2048 bits or more are recommended for new keys.
    This is currently the default for the most recent releases of GnuPG and GnuPG2
    (gpg/gpg2), which are available for download and installation on most platforms
    via  gnupg.org  (for Mac OSeX see  sourceforge  )
    ---
    Other general information about GPG keys and instructions for key generation
    and participating in a signing party can found at the  Keysigning Party Howto  
    page, though some of the described party procedures and processes have been
    slightly modified to suit our ALE event.  General GPG FAQ links are also
    included below.
    ---
  2. Perform an EXPORT of your key...
    ( ie: $ gpg --armor --export {your keyid} > public.key.tmp )
    and add it to our keyring here:
    <http://biglumber.com/x/web?keyring=2952>
    You will see a text listing of our complete keyring with the key ids,
    the owner uids and the key fingerprints.   Just paste your public key
    into the text window or browse to a file of it and then hit "submit query"
    (yeah, I know it's kinda weird and confusing and it confused me the
    first time too).  Your key will be added and you will see a complete
    listing of the current keys on this keyring after you go back and hit
    "refresh".
    ---
    Participants are strongly encouraged to
    add their keys to the 
    ring by midnight (EST) on Wednesday, December 7th in order
    to expedite the key signing process.
    ---
  3. Printout copies of the keyring list of Key info (User ID, Type, Size
    and Fingerprint) will be distributed at the meeting.  Participants will mark
    their sheets as individual ID's and Key Fingerprints are confirmed.
    ---
  4. Participants attend the party and bring along a paper copy of their Key info.
    You must also bring along a suitable form of photo ID and a secondary supporting
    form of ID.  Participants will make two marks on their copy of the key ring listing,
    one for confirmation of correct Key Info (User ID, Type, Size, & Fingerprint)
    and one for confirmation of the personal photo ID.
    ---
  5. At the meeting each key owner reads his Key info (User ID, Type, Size, &
    Fingerprint) from their own paper hard copy (NOT from the distributed listing!).
    This is because there could be an error, intended or not, on the listing. This is also
    the time to tell which ID's to sign or not. If the key information matches a
    participant's distributed Key list,  they place a check-mark by that Key information.
    ---
  6. After all participants have read their key ID information, they form a line, ideally
    in the order that the keys are listed on the sheet.  The first person walks down the
    line having every person check his ID.  The second person follows immediately
    behind the first person and so on.
    If you are satisfied that the person is who they say they are, and that the Key
    User ID on the printout is theirs, you place another check-mark next to their
    Key information on your printout.
    ---
  7. Once the first person cycles back around to the front of the line, they will have
    checked all the other IDs and their ID will have been checked by all others.
    ---
  8. After everyone has identified themselves, the formal part of the meeting is over.
    If everyone is registered and punctual the formal part of the evening should take
    less than an hour.
    ---
  9. After attending the party and confirming the key and ID information on your
    copy of the list of participants, each participant is expeceted to independently
    return to <http://biglumber.com/x/web?keyring=2592> and click on "Download
    this keyring", then copy and paste it to a file or run the following command:
     $ curl "http://biglumber.com/x/web?keyring=4254;download=1" > keyring.txt
    (don't forget the quotes around the URL -- note the semicolon)

    Import the keyring to your keyring with:
     $ gpg[2] --import keyring.txt

    Now proceed to sign the keys you've verified, one at a time, with:
     $ gpg[2] --sign-key [keyid to be signed]
    ---
  10. Export the keys you've signed to a keyring file.
     $ gpg[2] --armor --export [list of signed keyids] > keyring.txt

    Now return to the BigLumber site and upload the signed keys by clicking
    on "Browse" at the bottom, browsing to the keyring file of the signed
    key, selecting that, and finally hitting "Submit Query".  This may take
    some time to upload the keyring but it should then merge the new
    signatures from that upload into our keyring on BigLumber.  As of
    November 29, the keyring stood at 15 keys and over 330K long so this
    process may take a minute or two depending on speeds and the size of the
    final keyring.

    You can also send the keys directly to the global public keyservers with
    this command:
     $ gpg[2] --send-keys [list of signed keyids]

    Let us know when you've done this either by sending the organizers a
    message or posting it to the ALE list so others know there are updates
    up there.  I'll also make a posting to the ALE list when everyone has
    checked in that they have completed signing.
    ---
  11. When all the signatures have been collected (will be announced on the
    ALE list) you can return to the BigLumber site to repeat the download
    and import keyring steps as in step 9.  This will then import all the
    signatures everyone else has made to your own keys (as well as those
    made to the other keys).

    Alternatively, if you only want to import the signatures for your key(s)
    the full keyring will be pushed up to the public keyservers at that time and
    you can update your individual key(s) at any time with this command:
     $ gpg[2] --recv-keys [list of your key ids]
    ---
  12. Use your keys when appropriate and as often as possible
If you still have questions or need clarifications AFTER reviewing all
of the instructions & links above, email Jeremy via jbouse[AT]debian.org.

Why shouldn't I bring a computer?

There are a variety of reasons, why you don't want to do this. The short answer is it would
be insecure, unsafe, and of no benefit.  For those not convinced, here are some reasons why
t is insecure, unsafe, and of no benefit.

Other questions about signing keys?

Visit  <http://www.gnupg.org/> -- GNU PGP (Linux)

What if I still have a question?

If, after reading the resources provided above, you need help with other questions,
you can (sign on to and) post your inquiries to the many informed IT professionals
on the ALE@ALE.ORG mailing list.   Please include "GPG", "PGP" or "Key
Signing Party" in the Subject line.