ALE GPG Key Signing Party & Solstice Season Social

Where:

When:

Synopsis:

What YOU need as a participant in the
ALE Key Signing party:

1. Physical presence at the event with...
2. Positive picture ID & second supporting form of ID
   (name must align with that used for the public key)
3. Your print out of the final key ring text file with generated checksums
4. A pen or pencil or whatever you'd like to write with.
5. NO computer  (to maintain privacy & security)

1. Generate a key (or use an existing one).  Remember your pass phrase!
   ---
   To help with this, Charles Shapiro has prepared an excellent GPG Howto page
   with step by step command line directions for using the gpg (gpg2) program to
   generate, store, sign, register and use GPG keys. 
   ---
   *RSA/RSA Key pairs of 2048 bits or more are recommended for new keys.
   This is currently the default for the most recent releases of GnuPG and GnuPG2
   (gpg/gpg2), which are available for download and installation on most platforms
   via  gnupg.org  (for Mac OSeX see  sourceforge  )
   ---
   Other general information about GPG keys and instructions for key generation
   and participating in a signing party can found at the  Keysigning Party Howto  
   page, though some of the described party procedures and processes have been
   slightly modified to suit our ALE event.  General GPG FAQ links are also
   included below.
   ---
2. Perform an EXPORT of your key...
   ( ie: $ gpg --armor --export {your keyid} > public.key.tmp )
   and add it to our keyring here:
   <http://biglumber.com/x/web?keyring=9655>
   You will see a text listing of our complete keyring with the key ids,
   the owner uids and the key fingerprints.   Just paste your public key
   into the text window or browse to a file of it and then hit "submit query"
   (yeah, I know it's kinda weird and confusing and it confused me the
   first time too).  Your key will be added and you will see a complete
   listing of the current keys on this keyring after you go back and hit
   "refresh".
   ---
   Participants are strongly encouraged to add their keys to the 
   ring by midnight (EST) on Wednesday, December 11th in order
   to expedite the key signing process.
   ---
3. Printout copies of the keyring list of Key info (User ID, Type, Size
   and Fingerprint) will be available at the meeting.  Participants are encouraged
   to have a copy printed themselves and checksums generated.  Particpants will mark
   their sheets as they confirm each individual ID.
   ---
4. Participants attend the party must bring along a suitable form of photo ID and a
   secondary supporting form of ID.  Participants will make two marks on their copy
   of the key ring listing, one for confirmation of correct Key Info (User ID, Type, Size,
   & Fingerprint) and one for confirmation of the personal photo ID.
   ---
5. At the meeting, the organizer will give the checksum of the generated key ring list.
   Each participant should compare this with the checksum they generated. Then each
   key owner will present their identification to each particpant. If the key
   information matches a participant's distributed Key list entry,  they
   place a check-mark by that Key information.
   ---
6. After all participants have read their key ID information, they form a line, ideally
   in the order that the keys are listed on the sheet.  The first person walks down the
   line having every person check his ID.  The second person follows immediately
   behind the first person and so on.
   If you are satisfied that the person is who they say they are, and that the Key
   User ID on the printout is theirs, you place another check-mark next to their
   Key information on your printout.
   ---
7. Once the first person cycles back around to the front of the line, they will have
   checked all the other IDs and their ID will have been checked by all others.
   ---
8. After everyone has identified themselves, the formal part of the meeting is over.
   If everyone is registered and punctual the formal part of the evening should take
   less than an hour.
   ---
9. After attending the party and confirming the key and ID information on your
   copy of the list of participants, each participant is expeceted to independently
   return to <http://biglumber.com/x/web?keyring=9655> and click on "Download
   this keyring", then copy and paste it to a file or run the following command:
    $ curl "http://biglumber.com/x/web?keyring=9655;download=1" > keyring.txt
   (don't forget the quotes around the URL -- note the semicolon)
   
   Import the keyring to your keyring with:
    $ gpg[2] --import keyring.txt
   
   Now proceed to sign the keys you've verified, one at a time, with:
    $ gpg[2] --sign-key [keyid to be signed]
   ---
   
10. Export the keys you've signed to a keyring file.
     $ gpg[2] --armor --export [list of signed keyids] > keyring.txt
    
    Now return to the BigLumber site and upload the signed keys by clicking
    on "Browse" at the bottom, browsing to the keyring file of the signed
    key, selecting that, and finally hitting "Submit Query".  This may take
    some time to upload the keyring but it should then merge the new
    signatures from that upload into our keyring on BigLumber.  This
    process may take a minute or two depending on speeds and the size
    of the final keyring.
    
    You can also send the keys directly to the global public keyservers with
    this command:
     $ gpg[2] --send-keys [list of signed keyids]
    
    Let us know when you've done this either by sending the organizers a
    message or posting it to the ALE list so others know there are updates
    up there.  I'll also make a posting to the ALE list when everyone has
    checked in that they have completed signing.
    ---
11. After a week or two you can return to the BigLumber site to download
    and import the sitned keyring as in step 9.  This will then import all the
    signatures everyone else has made to your own keys (as well as those
    made to the other keys).
    
    Alternatively, if you only want to import the signatures for your key(s)
    the full keyring will be pushed up to the public keyservers at that time and
    you can update your individual key(s) at any time with this command:
     $ gpg[2] --recv-keys [list of your key ids]
    ---
    
12. Use your keys when appropriate and as often as possible
    

Why shouldn't I bring a computer?

There are a variety of reasons, why you don't want to do this. The short answer is it would
be insecure, unsafe, and of no benefit.  For those not convinced, here are some reasons why
t is insecure, unsafe, and of no benefit.

• Someone might have modified the computers programs, operating system, or
  hardware to steal or modify keys.
• If people are swapping disks with their keys on them the computer owner has
  to worry about viruses.
• If people are carrying their secret keys with them and intend to do the signing
  at the actual meeting by typing their passphrase into a computer, then they are
  open to key-logging attacks, shoulder-surfing, etc.
• It is much better to just exchange key details and verify ID and then do the signing
  when you get home to your own trusted computer.
• Someone might spill beer on it.
• Someone might drop it or knock it off the table.
• Many more reasons that don't deserve articulating

Other questions about signing keys?

What if I still have a question?

If, after reading the resources provided above, you need help with other questions,
you can (sign on to and) post your inquiries to the many informed IT professionals
on the ALE@ALE.ORG mailing list.   Please include "GPG", "PGP" or "Key
Signing Party" in the Subject line.