[ale] PGP/GPG Keysigning party! ALE Central November 19th.

Jeremy T. Bouse jeremy.bouse at undergrid.net
Tue Oct 27 21:38:27 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Sounds great I would definitely be interested in a key signing as it's
been awhile since I've been able to attend any so my keys position in
the WoT has dropped over the past couple years.

	I would suggest however that everyone please make sure the key they are
wanting signed is in the public key servers. As per my own signing
policy if I can't retrieve a key from a public key server it doesn't get
signed. Then again I have a lot more stringent policy on signing keys
than most, including a published key policy which is embedded with my
signature.

Michael H. Warfield wrote:
> Hello all!
> 
> Aaron approached me a couple of days about about running a PGP/GPG key
> signing party for the November ALE meeting.  Looking back, it looks like
> the last one was 6-1/2 years ago!  Wow, time flies...  Ok...  So be it.
> 
> I will do a VERY BRIEF intro to public key cryptography before the
> meeting but a successful key signing party depends on preparation in
> advance on the part of the participants!  Even well organized keysigning
> parties can degenerate into chaos very easily.  Do not come to the
> meeting looking to learn how to create a new key.  You should have your
> keys ready in advance.  If not, still come, but understand that you'll
> learn some thing about PGP but you probably won't walk away with keys or
> signatures.
> 
> To make this go smoothly, I will collect keys in advance of the meeting
> and print out sheets with key fingerprints.  That saves an incredible
> amount of time and effort during the actual meeting and gives me an idea
> of how may keys to expect and copies to make.  It also permits me to
> have a collected keyring I can make available to everyone after the
> meeting.  Please expect to provide at least one photo id which will be
> projected on a screen for everyone to see (sensitive numbers will be
> blacked out with tape).  Drivers license or passport are preferred.
> 
> With recent developments in cryptography, some doubt is being cast on
> the DSS/DSA keys.  Debian folks are strongly recommending a return to
> RSA keys and have some "procedures" in place for this.
> 
> http://www.debian-administration.org/users/dkg/weblog/48
> 
> If you are thinking it's time to dump off the old DSS/DSA keys and
> migrate back to an RSA 2048 bit key, now is the time as well.  My older
> RSA 1024 bit key is still active and I have a DSS/DSA key as well but
> these are both being relegated to "legacy" and I now have a 2048/R key
> (0x674627FF).  I'm not invalidating my old keys but I will only now be
> using them for key signing (my 0xDF1DD471 key is in the web of trust
> book and still in the PGP strong set).
> 
> If you're not running the latest GnuPG, which should now be defaulting
> to RSA/RSA keys, it can get a little bit tricky to create a new style
> RSA key.  With older (default DSS/DSA) versions of GunPG, you should
> create a new key but don't accept the default DSA and select "RSA (sign
> only)" key instead.  Once the key is created, edit that key and add an
> RSA encryption key to it.
> 
> Better yet, update your GnuPG and the default will create the new key
> like you want (RSA and RSA - sign and encrypt).  If you don't have a
> current key and you don't know what any of this is about, that's fine.
> Just create a new RSA key for yourself (if it says RSA and RSA - TAKE
> THAT OPTION).  If you don't see that option available, ask for help or
> update your system first.
> 
> What I need from YOU!  Well in advance of the meeting, please send your
> PGP public keys to alekeyparty at wittsend.com.  If you do not have a PGP
> key and are just looking to get started, the time to start is right now!
> The time is NOT at a key signing party.  This list has some very bright
> folks on it who can help you out if you are having difficulties.  I will
> try to answer questions as best I can, but ask them now.
> 
> Last time, we had a few people who did not submit their keys in advance.
> That's fine as long as it's not excessive or we will be there all night.
> At the very least, if you don't submit your keys in advance, your keys
> must be on the public keyservers and you should come with printouts of
> your key fingerprint.  I have business cards on which I have my key
> fingerprints printed.  Some people use little strips of paper.  All of
> that is fine but it should be on "dead trees edition" and enough copies
> so you can pass them out and people can make notes on them.
> 
> Procedure at the meeting...  People who submitted their keys go first.
> We will pass out the preprinted sheets and then call people up to
> project their id's.  The audience can then take notes on the sheets that
> they have confirmed their identification (anyone not showing up
> obviously is not confirmed AND SHOULD NOT BE SIGNED).  After that,
> anyone with keysigning cards or other information to pass out can go
> from there.  Anyone not prepared, we'll do what we can but you pays your
> nickel and you takes your chance.
> 
> Procedure after the meeting...  I'll update MY keyring with any last
> minute additions, clean out the "no shows", and then make an
> announcement to the list.  You can then download that keyring and sign
> those keys which you feel comfortable that you confirmed their identity.
> You can then submit them to a public key server or send them back to the
> same E-Mail address above and I'll submit them in bulk.
> 
> Any questions, please feel free to ping me but please do it early.
> We've only got about 3 weeks before this thing.
> 
> Side note.  I'm looking into also including a CA-Cert web of trust
> verification.  That's for X.509 certificates from CA-Cert
> <http://www.cacert.org>.  If you are interested, go up to their site and
> see what the deal is there.  Being preregistered with them helps.  You
> can get free X.509 S/Mime certificates and register OpenID with them,
> them.  That all depends on me getting some additional CA-Cert "assurers"
> involved (there are several in the area).  We did this at USENIX Lisa a
> couple of years back and it works in real well with a keysigning party.
> I'll post more details once I know more, if I can pull that off.
> 
> Regards,
> Mike
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF0EARECAB0FAkrnoI4WGGhrcDovL3N1YmtleXMucGdwLm5ldAAKCRCagQNPdb5V
OdG7AKDSA4jvNtwPRUWZelu3pYx8osckEACgoSfz3Ym2YWaLESq0uf7w+46Y4pE=
=wDsO
-----END PGP SIGNATURE-----


More information about the Ale mailing list