KeySigningParty

Differences between revisions 5 and 6
Revision 5 as of 2007-02-08 23:47:06
Size: 2437
Editor: bi-02pt1
Comment:
Revision 6 as of 2007-02-12 20:29:15
Size: 7075
Editor: bi-02pt1
Comment:
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
Q. Why would I want to participate?
A. It is your opportunity to join and strengthen the trust networks that our community uses to establish identity

From: http://en.wikipedia.org/wiki/Web_of_trust
 In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and a user. It is, in some respects, an alternative to centralized public key infrastructure (PKI) reliance exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs.

The web of trust concept was put forth by PGP creator Phil Zimmermann in the manual for PGP version 2.0:

    As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.
Line 6: Line 17:
Also http://en.wikipedia.org/wiki/Key_signing_party and http://www.keysigning.org/methods/adhoc
Line 34: Line 46:
== At the Keysigning ==
 1. Each participant should meet up face to face with every other participant to receive their key fingerprint and examine their ID, and to give them your key fingerprint and have them examine your ID. The keysigning organiser will provide direction about exactly how this is to happen. With large groups it can become very chaotic as the number of possible relationships increases exponentially with the number of participants. To keep things orderly the organiser will probably have everyone stand in a long line and then have the line fold back on itself, allowing every person to pass by every other person in turn.
 2. As you meet up with each person they will give you a printout of their key fingerprint and show you their ID. Examine their ID, and if you are convinced that the person standing in front of you is actually who they say they are then write 'ID OK' on their key fingerprint and initial it to prevent tampering. You then keep their key fingerprint in a safe place for later reference after the event has finished.
Line 36: Line 52:

 1. Participants retrieve the public keys of all keysigning participants by fetching individual keys from public keyservers.
 2. Participants work through their collection of signed fingerprint slips, checking the fingerprint of each key against the fingerprint on the slip and signing keys that match and are ticked for valid ID.
 3. Participants either upload each public key they sign to a public keyserver, or email it directly to the key owner. Some key owners prefer not to have keys sent to public keyservers so in general it is courteous to email the key directly to the owner.
 4. Signatures sent to each participant by other participants are imported into their local keyring.

   1. Find the key ID on the fingerprint. The fingerprint will have an 8-character ID listed after the key size. Typically it looks like this: '1024D/64011A8B'. The actual ID portion is the '64011A8B'. You'll notice this is also the last 8 characters of the fingerprint itself.
   2. Fetch the public key using the key ID. If you're running GnuPG on the command line, you can do this by typing 'gpg --recv-keys KeyID' (where KeyID is obviously the ID of the key you want).
   3. Check that the fingerprint of the key you've just fetched matches the fingerprint on the slip of paper: run 'gpg --fingerprint KeyID' and compare it with the hard copy in front of you.
   4. If (and only if) you are happy that the fingerprints match and the person showed you sufficient ID, you can do the actual 'signing' part of the process: type 'gpg --sign-key KeyID' and answer the questions it asks.
   5. Next you need to send the signed copy of their key back to them. There are two basic ways to do this: to email the key directly to them, or to upload it to a public keyserver. Many people prefer to receive their keys back by email so it's courteous to do this unless they've said they don't mind the key being uploaded to a public server. On a typical Linux system you can export the key and send it back to the user by typing: 'gpg --export -a KeyID | mail -s "Your signed key" [email protected]', where '[email protected]' is their email address.

GPG key signing Party

Meet Ubuntu people face-to-face. Taunt each other over their passport/driver's license photos. Add yourself to the Web of Trust or increase your ranking

Q. Why would I want to participate? A. It is your opportunity to join and strengthen the trust networks that our community uses to establish identity

From: http://en.wikipedia.org/wiki/Web_of_trust

  • In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and a user. It is, in some respects, an alternative to centralized public key infrastructure (PKI) reliance exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs.

The web of trust concept was put forth by PGP creator Phil Zimmermann in the manual for PGP version 2.0:

  • As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

Background Information

Please see http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html for background information. Also http://en.wikipedia.org/wiki/Key_signing_party and http://www.keysigning.org/methods/adhoc

Before you come to ubucon key signing party

  • Mandatory: Create a GPG keypair for yourself (if you haven't already)

  • Mandatory: Print or write down your key fingerprint and bring it with you. You'll have to confirm at the signing that the list is correct for your key.

  • Mandatory: Send your key before the event to the pgp.mit.edu keyserver.

  • Mandatory: eMail your key fingerprint to [email protected]

  • Mandatory: Bring a government-issued picture ID of yourself

Getting your KEYID from your keyring as the part following the 1024D/ as follows: 

gpg --list-secret-keys | grep sec

As an example this may look like 82A0BC01. Yours will be different.

  • Here is how to send your key to the keyserver with: 

gpg --keyserver pgp.mit.edu --send-keys KEYID

gpg --fingerprint '[email protected]' | mail -s "' [email protected]' key" [email protected]

Otherwise: 

gpg --fingerprint  [email protected]
cut/past into an email to [email protected] with the subject “[email protected] key”

  • Print out this [list] of everyone's key fingerprint and bring it with you. Make sure your key is on it!

At the Keysigning

  1. Each participant should meet up face to face with every other participant to receive their key fingerprint and examine their ID, and to give them your key fingerprint and have them examine your ID. The keysigning organiser will provide direction about exactly how this is to happen. With large groups it can become very chaotic as the number of possible relationships increases exponentially with the number of participants. To keep things orderly the organiser will probably have everyone stand in a long line and then have the line fold back on itself, allowing every person to pass by every other person in turn.
  2. As you meet up with each person they will give you a printout of their key fingerprint and show you their ID. Examine their ID, and if you are convinced that the person standing in front of you is actually who they say they are then write 'ID OK' on their key fingerprint and initial it to prevent tampering. You then keep their key fingerprint in a safe place for later reference after the event has finished.

After the Keysigning

Following the keysigning, you'll need to actually sign people's keys. The easiest way to do this is to use caff which is conveniently packaged in the Ubuntu signing-party package. caff lets you sign a number of keys at once, and will then email each recipient their signed key, encrypted with their key (actually, it sends one email per UID on the target key, so those people with 10 UIDs on their key will get 10 emails from caff, but that's OK - it makes sure they control that email address too). They must know their own pass phrase to retrieve their signed key, which they can then import into their gpg keyring and upload to the keyserver pgp.mit.edu.

  1. Participants retrieve the public keys of all keysigning participants by fetching individual keys from public keyservers.
  2. Participants work through their collection of signed fingerprint slips, checking the fingerprint of each key against the fingerprint on the slip and signing keys that match and are ticked for valid ID.
  3. Participants either upload each public key they sign to a public keyserver, or email it directly to the key owner. Some key owners prefer not to have keys sent to public keyservers so in general it is courteous to email the key directly to the owner.
  4. Signatures sent to each participant by other participants are imported into their local keyring.
    1. Find the key ID on the fingerprint. The fingerprint will have an 8-character ID listed after the key size. Typically it looks like this: '1024D/64011A8B'. The actual ID portion is the '64011A8B'. You'll notice this is also the last 8 characters of the fingerprint itself.
    2. Fetch the public key using the key ID. If you're running GnuPG on the command line, you can do this by typing 'gpg --recv-keys KeyID' (where KeyID is obviously the ID of the key you want).
    3. Check that the fingerprint of the key you've just fetched matches the fingerprint on the slip of paper: run 'gpg --fingerprint KeyID' and compare it with the hard copy in front of you.
    4. If (and only if) you are happy that the fingerprints match and the person showed you sufficient ID, you can do the actual 'signing' part of the process: type 'gpg --sign-key KeyID' and answer the questions it asks.

    5. Next you need to send the signed copy of their key back to them. There are two basic ways to do this: to email the key directly to them, or to upload it to a public keyserver. Many people prefer to receive their keys back by email so it's courteous to do this unless they've said they don't mind the key being uploaded to a public server. On a typical Linux system you can export the key and send it back to the user by typing: 'gpg --export -a KeyID | mail -s "Your signed key" [email protected]', where '[email protected]' is their email address.

CategoryUbuntuConferences