ALE GPG Key Signing Party & Solstice Season Social

A combined ALE NW & ALE Central Event

7:30pm on Thursday, December 12, 2013  


Where:

Southern Polytechnic State University
Room J202 of the Atrium (J) building

( For a campus map and a link to directions please see
<http://www.spsu.edu/visitspsu/campusmaps/index.htm>
Parking in non reserved spaces in the P60 deck is best.
building J, the Atrium building, is a short distance east
of the parking deck.)

When:

Thursday, December 12th, 2013:

7:30pm to 8:00pm  (prompt) --> General Daily use of GPG
8:00pm to ~9:15pm  (prompt) --> Key Signing Party
9:30pm to ~11:00pm --> Solstice Season Socializing (Marietta Diner)

We will start the key-signing process promptly at 8:00pm.
If you wish to participate you should prepare keys and
upload them to the keying in advance, then arrive on time.

Synopsis:

-- For those who participate, the key signing party serves to confirm
the identity of other PGP Key users by connecting them to a "key ring"
and including them in the "web of trust" needed to validate their keys,
signatures and identities in the wider world.
-- Debian Developer, IT Professional and ardent GPG enthusiast
Jeremy T. Bouse will give a brief presentation on some daily general
use of GPG before directing the key signing process.

-- Participation in the key signing requires advanced preparations,
including generating and verifying any new keys you want to have
signed and then registering ALL keys you want to be signed with
the official event Keyring that is set up on the Biglumber Key server:
<http://biglumber.com/x/web?keyring=9655>
-- Detailed instructions, including "How To" info with shell command
line examples and background information on the process can be
found at these links:
<http://ale.org//static_pages/gpgstepbystep-131212.html>
-- The final step on the day of the signing party will be to download and
print out Jeremy's final key ring text file (which will NOT be labeled "DRAFT")
from <http://undergrid.net/ale13/ksp-ale13.txt> and verify your key fingerprints,
then generate and fill in the checksum information for the file.
-- At the beginning of the keysigning process the master checksums
will be provided to check against the ones you generated personally

What YOU need as a participant in the
ALE Key Signing party:

Required Items for Parcipation:
  1. Physical presence at the event with...
  2. Positive picture ID & second supporting form of ID
    (name must align with that used for the public key)
  3. Your print out of the final key ring text file with generated checksums
  4. A pen or pencil or whatever you'd like to write with.
  5. NO computer  (to maintain privacy & security)

Required Process:
  1. Generate a key (or use an existing one).  Remember your pass phrase!
    ---
    To help with this, Charles Shapiro has prepared an excellent GPG Howto page
    with step by step command line directions for using the gpg (gpg2) program to
    generate, store, sign, register and use GPG keys. 
    ---
    *RSA/RSA Key pairs of 2048 bits or more are recommended for new keys.
    This is currently the default for the most recent releases of GnuPG and GnuPG2
    (gpg/gpg2), which are available for download and installation on most platforms
    via  gnupg.org  (for Mac OSeX see  sourceforge  )
    ---
    Other general information about GPG keys and instructions for key generation
    and participating in a signing party can found at the  Keysigning Party Howto  
    page, though some of the described party procedures and processes have been
    slightly modified to suit our ALE event.  General GPG FAQ links are also
    included below.
    ---
  2. Perform an EXPORT of your key...
    ( ie: $ gpg --armor --export {your keyid} > public.key.tmp )
    and add it to our keyring here:
    <http://biglumber.com/x/web?keyring=9655>
    You will see a text listing of our complete keyring with the key ids,
    the owner uids and the key fingerprints.   Just paste your public key
    into the text window or browse to a file of it and then hit "submit query"
    (yeah, I know it's kinda weird and confusing and it confused me the
    first time too).  Your key will be added and you will see a complete
    listing of the current keys on this keyring after you go back and hit
    "refresh".
    ---
    Participants are strongly encouraged to
    add their keys to the 
    ring by midnight (EST) on Wednesday, December 11th in order
    to expedite the key signing process.
    ---
  3. Printout copies of the keyring list of Key info (User ID, Type, Size
    and Fingerprint) will be available at the meeting.  Participants are encouraged
    to have a copy printed themselves and checksums generated.  Particpants will mark
    their sheets as they confirm each individual ID.
    ---
  4. Participants attend the party must bring along a suitable form of photo ID and a
    secondary supporting form of ID.  Participants will make two marks on their copy
    of the key ring listing, one for confirmation of correct Key Info (User ID, Type, Size,
    & Fingerprint) and one for confirmation of the personal photo ID.
    ---
  5. At the meeting, the organizer will give the checksum of the generated key ring list.
    Each participant should compare this with the checksum they generated. Then each
    key owner will present their identification to each particpant. If the key
    information matches a participant's distributed Key list entry,  they
    place a check-mark by that Key information.
    ---
  6. After all participants have read their key ID information, they form a line, ideally
    in the order that the keys are listed on the sheet.  The first person walks down the
    line having every person check his ID.  The second person follows immediately
    behind the first person and so on.
    If you are satisfied that the person is who they say they are, and that the Key
    User ID on the printout is theirs, you place another check-mark next to their
    Key information on your printout.
    ---
  7. Once the first person cycles back around to the front of the line, they will have
    checked all the other IDs and their ID will have been checked by all others.
    ---
  8. After everyone has identified themselves, the formal part of the meeting is over.
    If everyone is registered and punctual the formal part of the evening should take
    less than an hour.
    ---
  9. After attending the party and confirming the key and ID information on your
    copy of the list of participants, each participant is expeceted to independently
    return to <http://biglumber.com/x/web?keyring=9655> and click on "Download
    this keyring", then copy and paste it to a file or run the following command:
     $ curl "http://biglumber.com/x/web?keyring=9655;download=1" > keyring.txt
    (don't forget the quotes around the URL -- note the semicolon)

    Import the keyring to your keyring with:
     $ gpg[2] --import keyring.txt

    Now proceed to sign the keys you've verified, one at a time, with:
     $ gpg[2] --sign-key [keyid to be signed]
    ---
  10. Export the keys you've signed to a keyring file.
     $ gpg[2] --armor --export [list of signed keyids] > keyring.txt

    Now return to the BigLumber site and upload the signed keys by clicking
    on "Browse" at the bottom, browsing to the keyring file of the signed
    key, selecting that, and finally hitting "Submit Query".  This may take
    some time to upload the keyring but it should then merge the new
    signatures from that upload into our keyring on BigLumber.  This
    process may take a minute or two depending on speeds and the size
    of the final keyring.

    You can also send the keys directly to the global public keyservers with
    this command:
     $ gpg[2] --send-keys [list of signed keyids]

    Let us know when you've done this either by sending the organizers a
    message or posting it to the ALE list so others know there are updates
    up there.  I'll also make a posting to the ALE list when everyone has
    checked in that they have completed signing.
    ---
  11. After a week or two you can return to the BigLumber site to download
    and import the sitned keyring as in step 9.  This will then import all the
    signatures everyone else has made to your own keys (as well as those
    made to the other keys).

    Alternatively, if you only want to import the signatures for your key(s)
    the full keyring will be pushed up to the public keyservers at that time and
    you can update your individual key(s) at any time with this command:
     $ gpg[2] --recv-keys [list of your key ids]
    ---
  12. Use your keys when appropriate and as often as possible
If you still have questions or need clarifications AFTER reviewing all
of the instructions & links above, email Jeremy via jbouse[AT]debian.org.

Why shouldn't I bring a computer?

There are a variety of reasons, why you don't want to do this. The short answer is it would
be insecure, unsafe, and of no benefit.  For those not convinced, here are some reasons why
t is insecure, unsafe, and of no benefit.

Other questions about signing keys?

Visit  <http://www.gnupg.org/> -- GNU PGP (Linux)

What if I still have a question?

If, after reading the resources provided above, you need help with other questions,
you can (sign on to and) post your inquiries to the many informed IT professionals
on the ALE@ALE.ORG mailing list.   Please include "GPG", "PGP" or "Key
Signing Party" in the Subject line.