[ale] PGP/GPG Keysigning party! ALE Central November 19th. (Mac OSeX prep)

aaron aaron at pd.org
Mon Nov 2 12:26:11 EST 2009 

This past weekend I dove into doing my homework for the Key
signing party at the November 19th ALE meeting.  To follow
Michael's recommendation of generating an RSA / RSA pair
using Mac OSeX requires the latest GnuPG2 packages.

I found them at:

<http://sourceforge.net/projects/macgpg2/files/>

It's a simple unzip / mpkg install, but requires OSeX 10.4.x
or better.  Though not explicitly stated, it seems to be a
Universal binary since it installs and runs on my PPC systems
without issue.

With Mac gpg2, RSA / RSA is the default 1st choice of --gen-key
Other useful info and GUI based MacGPG tools can be found at:
<http://macgpg.sourceforge.net/>

Also, in trying to do a write up for the event, I found a
very informative "How To [GPG] Party" page that covers a lot
of aspects of the WHY as well as the HOW of the web of trust
and such...

<http://cryptnet.net/fdp/crypto/keysigning_party/en/ 
keysigning_party.html>

HTH!
peace
aaron




On 2009, Oct, 27, , at 9:14 PM, Michael H. Warfield wrote:
> Hello all!
>
> Aaron approached me a couple of days about about running a PGP/GPG key
> signing party for the November ALE meeting.  Looking back, it looks  
> like
> the last one was 6-1/2 years ago!  Wow, time flies...  Ok...  So be  
> it.
>
> I will do a VERY BRIEF intro to public key cryptography before the
> meeting but a successful key signing party depends on preparation in
> advance on the part of the participants!  Even well organized  
> keysigning
> parties can degenerate into chaos very easily.  Do not come to the
> meeting looking to learn how to create a new key.  You should have  
> your
> keys ready in advance.  If not, still come, but understand that you'll
> learn some thing about PGP but you probably won't walk away with  
> keys or
> signatures.
>
> To make this go smoothly, I will collect keys in advance of the  
> meeting
> and print out sheets with key fingerprints.  That saves an incredible
> amount of time and effort during the actual meeting and gives me an  
> idea
> of how may keys to expect and copies to make.  It also permits me to
> have a collected keyring I can make available to everyone after the
> meeting.  Please expect to provide at least one photo id which will be
> projected on a screen for everyone to see (sensitive numbers will be
> blacked out with tape).  Drivers license or passport are preferred.
>
> With recent developments in cryptography, some doubt is being cast on
> the DSS/DSA keys.  Debian folks are strongly recommending a return to
> RSA keys and have some "procedures" in place for this.
>
> http://www.debian-administration.org/users/dkg/weblog/48
>
> If you are thinking it's time to dump off the old DSS/DSA keys and
> migrate back to an RSA 2048 bit key, now is the time as well.  My  
> older
> RSA 1024 bit key is still active and I have a DSS/DSA key as well but
> these are both being relegated to "legacy" and I now have a 2048/R key
> (0x674627FF).  I'm not invalidating my old keys but I will only now be
> using them for key signing (my 0xDF1DD471 key is in the web of trust
> book and still in the PGP strong set).
>
> If you're not running the latest GnuPG, which should now be defaulting
> to RSA/RSA keys, it can get a little bit tricky to create a new style
> RSA key.  With older (default DSS/DSA) versions of GunPG, you should
> create a new key but don't accept the default DSA and select "RSA  
> (sign
> only)" key instead.  Once the key is created, edit that key and add an
> RSA encryption key to it.
>
> Better yet, update your GnuPG and the default will create the new key
> like you want (RSA and RSA - sign and encrypt).  If you don't have a
> current key and you don't know what any of this is about, that's fine.
> Just create a new RSA key for yourself (if it says RSA and RSA - TAKE
> THAT OPTION).  If you don't see that option available, ask for help or
> update your system first.
>
> What I need from YOU!  Well in advance of the meeting, please send  
> your
> PGP public keys to alekeyparty at wittsend.com.  If you do not have a PGP
> key and are just looking to get started, the time to start is right  
> now!
> The time is NOT at a key signing party.  This list has some very  
> bright
> folks on it who can help you out if you are having difficulties.  I  
> will
> try to answer questions as best I can, but ask them now.
>
> Last time, we had a few people who did not submit their keys in  
> advance.
> That's fine as long as it's not excessive or we will be there all  
> night.
> At the very least, if you don't submit your keys in advance, your keys
> must be on the public keyservers and you should come with printouts of
> your key fingerprint.  I have business cards on which I have my key
> fingerprints printed.  Some people use little strips of paper.  All of
> that is fine but it should be on "dead trees edition" and enough  
> copies
> so you can pass them out and people can make notes on them.
>
> Procedure at the meeting...  People who submitted their keys go first.
> We will pass out the preprinted sheets and then call people up to
> project their id's.  The audience can then take notes on the sheets  
> that
> they have confirmed their identification (anyone not showing up
> obviously is not confirmed AND SHOULD NOT BE SIGNED).  After that,
> anyone with keysigning cards or other information to pass out can go
> from there.  Anyone not prepared, we'll do what we can but you pays  
> your
> nickel and you takes your chance.
>
> Procedure after the meeting...  I'll update MY keyring with any last
> minute additions, clean out the "no shows", and then make an
> announcement to the list.  You can then download that keyring and sign
> those keys which you feel comfortable that you confirmed their  
> identity.
> You can then submit them to a public key server or send them back  
> to the
> same E-Mail address above and I'll submit them in bulk.
>
> Any questions, please feel free to ping me but please do it early.
> We've only got about 3 weeks before this thing.
>
> Side note.  I'm looking into also including a CA-Cert web of trust
> verification.  That's for X.509 certificates from CA-Cert
> <http://www.cacert.org>.  If you are interested, go up to their  
> site and
> see what the deal is there.  Being preregistered with them helps.  You
> can get free X.509 S/Mime certificates and register OpenID with them,
> them.  That all depends on me getting some additional CA-Cert  
> "assurers"
> involved (there are several in the area).  We did this at USENIX  
> Lisa a
> couple of years back and it works in real well with a keysigning  
> party.
> I'll post more details once I know more, if I can pull that off.
>
> Regards,
> Mike
> -- 
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http:// 
> www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the  
> best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure  
> of it!
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list