[ale] Reminder: ALE PGP Keysigning Party

Michael H. Warfield mhw at wittsend.com
Sun Jan 19 21:37:01 EST 2003


OK folks...

	Yes, I'll be sending out a couple of reminders leading up to the
PGP Keysigning party on February 13th.

	So far, I've only gotten a couple of keys in.  Once I get a few
more in, I'll set up a web page for people to check the fingerprints and
ID's of those who have sent keys in.  When that's up, you can check that
your key was received a little while after sending it.  It will be a
password protected page to protect the fingerprint listing from spam
harvestors and I'll post that information as well.

	In the mean time, I'm off to LinuxWorld for the next few days to
teach a couple of tutorials on Tuesday and a session on Forensics on
Wednesday.

	As before, attached below are the PGP keysigning party instructions.

	Send in those PGP keys!

	Regards,
	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

==============================================================================

	As promised at last Thursday's ALE meeting, here are the instructions
for submitting your PGP/GPG keys for the upcoming keysigning party,
scheduled for Thursday, February 13, 2003 at Emory.

	I will repost this a couple of times between now at the meeting
but I strongly recommend that you submit your keys early so we have a
good idea of how many may be attending.

	TIA!

==============================================================================

	The following is based on [IOW, blantently plagiarized from and
paraphrased] the keysigning party instructions from Ted Tso <tytso at mit.edu>
and his pgp keysigning parties at the quarterly IETF meetings which is, in
turn, based on the keysigning party outline by Derek Atkins <warlord at mit.edu>,
which I posted in an earlier message.

==============================================================================

We will be holding a PGP Key signing party at the monthly ALE meeting on
the evening of Thursday February 13 beginning at 7:30 at Emory University.
The procedure we will use is the following:

o People who wish to participate should email an ASCII extract of their
  PGP public key to <mhw at wittsend.com> by noon on Thursday, February 13,
  2003. Please include a subject line of "ALE PGP KEY", and please
  avoid MIME-encrypting your e-mail.  (I will be processing the keys
  based on the subject by procmail through GPG 1.2.1, anything which GPG
  can not interpret will be ignored unless I take manual action to fix
  things, which I will try to do but make no guarantees about doing.)

  I have procmail set to catch "ALE PGP KEY" or "ALE GPG KEY" in a
  case insensitive manner with relatively soft matches on variable
  spaces and references (Re: AW:, etc).  If it's reasonably close
  to the subject string, it should catch it.  If it doesn't I should
  catch it and manually feed it in but, again, I'm making no guarantees.

  The method of generating the ASCII extract under Unix is:

	pgp -kxa my_email_address mykey.asc		(pgp 2.6.2)
	pgpk -xa my_email_address > mykey.asc		(pgp 5.x)
	gpg --export -a my_email_address > mykey.asc	(gpg)

  If you're using Windows or Macintosh, hopefully it will be Intuitively
  Obvious (tm) using the GUI interface how to generate an ASCII armored
  key that begins "-----BEGIN PGP PUBLIC KEY BLOCK-----".

o By 6pm on Thursday, you will be able to fetch a complete key ring
  from the following URL with all of the keys that were submitted:

 	http://www.wittsend.com/mhw/2003/ale.pgp

  You do NOT need to retrieve the keyring prior to attending the
  meeting.  You do not have to sign any keys at the meeting itself and
  any verification sheets or information will be handed out in printed
  form.

o At 7:30pm, come prepared with the PGP Key fingerprint of your PGP
  public key; we will have handouts with all of the key fingerprints of
  the keys that people have mailed in.  There should be enough copies of
  the handouts to cover everyone who has submitted keys plus some
  additional copies.

o In turn, readers at the front of the room will recite people's keys;
  as your key fingerprint is read, stand up and present some form of
  picture identification for projection and verification, and at the
  end of reading of your PGP key fingerprint, acknowledge that the
  fingerprint as read was correct.

o As each key is announced and acknowledged, those in the audience, should
  note on their handouts that the fingerprint was read and verified by the
  owner, and the owner presented confirmation of his identity.

o Later that evening, or perhaps when you get home, you can sign the
  keys corresponding to the fingerprints which you were able to verify
  on the handout; note that it is advisable that you only sign keys of
  people when you have personal knowledge that the person who stood up
  during the reading of his/her fingerprint really is the person which
  he/she claimed to be.

o Submit the keys you have signed to the PGP keyservers.  A good one to
  use is the one at MIT, pgp.mit.edu:

  To submit a key to pgp.mit.edu by E-Mail, simply send mail containing
  the ascii armored version of your PGP public key to <pgp at pgp.mit.edu>.

  You can also submit keys directly to the keyservers from GPG to the
  keyservers as follows:

  gpg --send-keys {keyid} {keyid} {keyid} ...

  You can specify the keyserver (for example, wwwkeys.us.pgp.net) on the
  command line as follows:

  gpg --keyserver hkp://wwwkeys.us.pgp.net {keyid} {keyid} {keyid} ...

  You may also, optionally, E-Mail the signed key back to the owner,
  but the keyservers are the preferred method.


Note:  You don't have to have a laptop with you; if you don't have
any locally trusted computing resources during the key signing party,
you can make notes on the handout, and then take the handout home and
sign the keys later.

Caveats:  A PGP keysigning party is NOT the time to generate a new key.
If you don't already have a PGP/GPG key, generate one now and submit
the public key for inclusion.  If you need assistance in generating a
key, the time to ask is NOW, not then.  If you have not submitted a
key but show up with keysigning cards, you may have time to pass them
out and we might get to you after all the submitted keys are done, or you
may not and we might now.  If you have not submitted a key and don't even
have printed keysigning cards, you will probably be out of luck, this
time around, so please be prepared and submit your keys.  If you don't
submit your key, it will NOT be on the downloadable keyring signers will
have to independently retrieve it and you will be on your own.

	Regards,
	Mike

 PGP signature




More information about the Ale mailing list