[ale] PGP/GPG Keysigning party! ALE Central November 19th.
Jeremy T. Bouse
jeremy.bouse at undergrid.net
Tue Oct 27 21:38:27 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sounds great I would definitely be interested in a key signing as it's
been awhile since I've been able to attend any so my keys position in
the WoT has dropped over the past couple years.
I would suggest however that everyone please make sure the key they are
wanting signed is in the public key servers. As per my own signing
policy if I can't retrieve a key from a public key server it doesn't get
signed. Then again I have a lot more stringent policy on signing keys
than most, including a published key policy which is embedded with my
signature.
Michael H. Warfield wrote:
> Hello all!
>
> Aaron approached me a couple of days about about running a PGP/GPG key
> signing party for the November ALE meeting. Looking back, it looks like
> the last one was 6-1/2 years ago! Wow, time flies... Ok... So be it.
>
> I will do a VERY BRIEF intro to public key cryptography before the
> meeting but a successful key signing party depends on preparation in
> advance on the part of the participants! Even well organized keysigning
> parties can degenerate into chaos very easily. Do not come to the
> meeting looking to learn how to create a new key. You should have your
> keys ready in advance. If not, still come, but understand that you'll
> learn some thing about PGP but you probably won't walk away with keys or
> signatures.
>
> To make this go smoothly, I will collect keys in advance of the meeting
> and print out sheets with key fingerprints. That saves an incredible
> amount of time and effort during the actual meeting and gives me an idea
> of how may keys to expect and copies to make. It also permits me to
> have a collected keyring I can make available to everyone after the
> meeting. Please expect to provide at least one photo id which will be
> projected on a screen for everyone to see (sensitive numbers will be
> blacked out with tape). Drivers license or passport are preferred.
>
> With recent developments in cryptography, some doubt is being cast on
> the DSS/DSA keys. Debian folks are strongly recommending a return to
> RSA keys and have some "procedures" in place for this.
>
> http://www.debian-administration.org/users/dkg/weblog/48
>
> If you are thinking it's time to dump off the old DSS/DSA keys and
> migrate back to an RSA 2048 bit key, now is the time as well. My older
> RSA 1024 bit key is still active and I have a DSS/DSA key as well but
> these are both being relegated to "legacy" and I now have a 2048/R key
> (0x674627FF). I'm not invalidating my old keys but I will only now be
> using them for key signing (my 0xDF1DD471 key is in the web of trust
> book and still in the PGP strong set).
>
> If you're not running the latest GnuPG, which should now be defaulting
> to RSA/RSA keys, it can get a little bit tricky to create a new style
> RSA key. With older (default DSS/DSA) versions of GunPG, you should
> create a new key but don't accept the default DSA and select "RSA (sign
> only)" key instead. Once the key is created, edit that key and add an
> RSA encryption key to it.
>
> Better yet, update your GnuPG and the default will create the new key
> like you want (RSA and RSA - sign and encrypt). If you don't have a
> current key and you don't know what any of this is about, that's fine.
> Just create a new RSA key for yourself (if it says RSA and RSA - TAKE
> THAT OPTION). If you don't see that option available, ask for help or
> update your system first.
>
> What I need from YOU! Well in advance of the meeting, please send your
> PGP public keys to alekeyparty at wittsend.com. If you do not have a PGP
> key and are just looking to get started, the time to start is right now!
> The time is NOT at a key signing party. This list has some very bright
> folks on it who can help you out if you are having difficulties. I will
> try to answer questions as best I can, but ask them now.
>
> Last time, we had a few people who did not submit their keys in advance.
> That's fine as long as it's not excessive or we will be there all night.
> At the very least, if you don't submit your keys in advance, your keys
> must be on the public keyservers and you should come with printouts of
> your key fingerprint. I have business cards on which I have my key
> fingerprints printed. Some people use little strips of paper. All of
> that is fine but it should be on "dead trees edition" and enough copies
> so you can pass them out and people can make notes on them.
>
> Procedure at the meeting... People who submitted their keys go first.
> We will pass out the preprinted sheets and then call people up to
> project their id's. The audience can then take notes on the sheets that
> they have confirmed their identification (anyone not showing up
> obviously is not confirmed AND SHOULD NOT BE SIGNED). After that,
> anyone with keysigning cards or other information to pass out can go
> from there. Anyone not prepared, we'll do what we can but you pays your
> nickel and you takes your chance.
>
> Procedure after the meeting... I'll update MY keyring with any last
> minute additions, clean out the "no shows", and then make an
> announcement to the list. You can then download that keyring and sign
> those keys which you feel comfortable that you confirmed their identity.
> You can then submit them to a public key server or send them back to the
> same E-Mail address above and I'll submit them in bulk.
>
> Any questions, please feel free to ping me but please do it early.
> We've only got about 3 weeks before this thing.
>
> Side note. I'm looking into also including a CA-Cert web of trust
> verification. That's for X.509 certificates from CA-Cert
> <http://www.cacert.org>. If you are interested, go up to their site and
> see what the deal is there. Being preregistered with them helps. You
> can get free X.509 S/Mime certificates and register OpenID with them,
> them. That all depends on me getting some additional CA-Cert "assurers"
> involved (there are several in the area). We did this at USENIX Lisa a
> couple of years back and it works in real well with a keysigning party.
> I'll post more details once I know more, if I can pull that off.
>
> Regards,
> Mike
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF0EARECAB0FAkrnoI4WGGhrcDovL3N1YmtleXMucGdwLm5ldAAKCRCagQNPdb5V
OdG7AKDSA4jvNtwPRUWZelu3pYx8osckEACgoSfz3Ym2YWaLESq0uf7w+46Y4pE=
=wDsO
-----END PGP SIGNATURE-----
More information about the Ale
mailing list