[ale] PGP/GPG Keysigning party! ALE Central November 19th.
Michael H. Warfield
mhw at WittsEnd.com
Tue Oct 27 21:14:06 EDT 2009
Hello all!
Aaron approached me a couple of days about about running a PGP/GPG key
signing party for the November ALE meeting. Looking back, it looks like
the last one was 6-1/2 years ago! Wow, time flies... Ok... So be it.
I will do a VERY BRIEF intro to public key cryptography before the
meeting but a successful key signing party depends on preparation in
advance on the part of the participants! Even well organized keysigning
parties can degenerate into chaos very easily. Do not come to the
meeting looking to learn how to create a new key. You should have your
keys ready in advance. If not, still come, but understand that you'll
learn some thing about PGP but you probably won't walk away with keys or
signatures.
To make this go smoothly, I will collect keys in advance of the meeting
and print out sheets with key fingerprints. That saves an incredible
amount of time and effort during the actual meeting and gives me an idea
of how may keys to expect and copies to make. It also permits me to
have a collected keyring I can make available to everyone after the
meeting. Please expect to provide at least one photo id which will be
projected on a screen for everyone to see (sensitive numbers will be
blacked out with tape). Drivers license or passport are preferred.
With recent developments in cryptography, some doubt is being cast on
the DSS/DSA keys. Debian folks are strongly recommending a return to
RSA keys and have some "procedures" in place for this.
http://www.debian-administration.org/users/dkg/weblog/48
If you are thinking it's time to dump off the old DSS/DSA keys and
migrate back to an RSA 2048 bit key, now is the time as well. My older
RSA 1024 bit key is still active and I have a DSS/DSA key as well but
these are both being relegated to "legacy" and I now have a 2048/R key
(0x674627FF). I'm not invalidating my old keys but I will only now be
using them for key signing (my 0xDF1DD471 key is in the web of trust
book and still in the PGP strong set).
If you're not running the latest GnuPG, which should now be defaulting
to RSA/RSA keys, it can get a little bit tricky to create a new style
RSA key. With older (default DSS/DSA) versions of GunPG, you should
create a new key but don't accept the default DSA and select "RSA (sign
only)" key instead. Once the key is created, edit that key and add an
RSA encryption key to it.
Better yet, update your GnuPG and the default will create the new key
like you want (RSA and RSA - sign and encrypt). If you don't have a
current key and you don't know what any of this is about, that's fine.
Just create a new RSA key for yourself (if it says RSA and RSA - TAKE
THAT OPTION). If you don't see that option available, ask for help or
update your system first.
What I need from YOU! Well in advance of the meeting, please send your
PGP public keys to alekeyparty at wittsend.com. If you do not have a PGP
key and are just looking to get started, the time to start is right now!
The time is NOT at a key signing party. This list has some very bright
folks on it who can help you out if you are having difficulties. I will
try to answer questions as best I can, but ask them now.
Last time, we had a few people who did not submit their keys in advance.
That's fine as long as it's not excessive or we will be there all night.
At the very least, if you don't submit your keys in advance, your keys
must be on the public keyservers and you should come with printouts of
your key fingerprint. I have business cards on which I have my key
fingerprints printed. Some people use little strips of paper. All of
that is fine but it should be on "dead trees edition" and enough copies
so you can pass them out and people can make notes on them.
Procedure at the meeting... People who submitted their keys go first.
We will pass out the preprinted sheets and then call people up to
project their id's. The audience can then take notes on the sheets that
they have confirmed their identification (anyone not showing up
obviously is not confirmed AND SHOULD NOT BE SIGNED). After that,
anyone with keysigning cards or other information to pass out can go
from there. Anyone not prepared, we'll do what we can but you pays your
nickel and you takes your chance.
Procedure after the meeting... I'll update MY keyring with any last
minute additions, clean out the "no shows", and then make an
announcement to the list. You can then download that keyring and sign
those keys which you feel comfortable that you confirmed their identity.
You can then submit them to a public key server or send them back to the
same E-Mail address above and I'll submit them in bulk.
Any questions, please feel free to ping me but please do it early.
We've only got about 3 weeks before this thing.
Side note. I'm looking into also including a CA-Cert web of trust
verification. That's for X.509 certificates from CA-Cert
<http://www.cacert.org>. If you are interested, go up to their site and
see what the deal is there. Being preregistered with them helps. You
can get free X.509 S/Mime certificates and register OpenID with them,
them. That all depends on me getting some additional CA-Cert "assurers"
involved (there are several in the area). We did this at USENIX Lisa a
couple of years back and it works in real well with a keysigning party.
I'll post more details once I know more, if I can pull that off.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20091027/6e9d2bf8/attachment-0001.bin
More information about the Ale
mailing list