Rob Latham rob@terizla.org
Mon, 20 May 2002 20:30:14 -0500

funny you should ask, ian...

that's right folks, 
Thursday night is ufo chicago night *and keysigning party* at

yup, my stupid pgp key has 5 dumb signatures on it and i want to
expand my web of trust.  am i foolhardy to trust you goons?  probably,
but let's do it anyway.

If you guys have a better protocol, do suggest it, but i propose the
following ( stolen from wil andrews's notes for a purdue keysigning )

 *** PGP/GPG SIGNING PARTY 23 May, george's diner  ***

  What everyone needs to do is the following:

       1) Generate a GPG key (if you do not have one already).  This is
          as simple as:

               % gpg --gen-key

          and following instructions.  People will want to pick the
          DSA/ElGamal algorithm and as large as keysize as they can
          (2048 bit is good).  Key expiration is up to you: I suggest
          two to five years.  The longer the passphrase, the better.
          While GPG generates the key, the more random bits it can
          obtain from /dev/random, the better.  Most Unix operating
          systems harvest randomness from i/o devices like NICs, mice,
          sound cards, and keyboards.

       2) Send your GPG key to pgp.mit.edu like this:

               % gpg --keyserver pgp.mit.edu --send-key YOUR_KEY_ID

       3) Send me an email (rob@terizla.org) with the following
               a.  Your name and email address as listed in your key.
               b.  Your key ID (YOUR_KEY_ID above).
               c.  Your key size and algorithm.
               d.  Your key fingerprint.

	This can be done easily by running:
	gpg --fingerprint YOUR_KEY_ID | mail rob@terizla.org

	(also note that gpg accepts any part of your email address or
	name info in your key as a YOUR_KEY_ID)

       4) The key signing party will be at george's
	  I will ask people to pick up a sheet of paper (or two) that
	  lists everyone's data as above, plus a space to checkmark
	  that they've identified correctly the information you have.
	  Everyone needs to bring with yourself to the installfest a
	  piece of scrap paper with your key information on it (in
	  case I somehow mess it up or someone else does or something)
	  as well as valid ID.  Valid ID (by my definition at least,
	  others may accept other types of ID) means driver's license
	  or passport from your country of origin.  Please note:
	  student id cards aren't good enough.  :-)

          Please note: Do *NOT* bring a computer with your gpg key on
          it!  You will use the sheet of paper(s) that I give you to
          verify others' identities and match their GPG keys.

	  You MUST bring along your id AND your key id and fingerprint
	  on a piece of paper.

	  This allows for the out of band verification that the gpg
	  data that you gave to me via insecure email made it
	  successfully onto the sheet of paper correctly. 
          So, I suggest that you also do something like:

          gpg --fingerprint YOUR_KEY_ID | lpr

          Or manually write it down.

       5) When you get home, sign everyone's keys like so:

               % gpg --keyserver pgp.mit.edu --recv-keys KEY_ID
               % gpg --sign-key KEY_ID
               % gpg --keyserver pgp.mit.edu --send-key KEY_ID

          Perform this for each key that you verified at the

 Details on how this works can be found at:


Rob Latham                                        Woodridge, IL USA
EAE8 DE90 85BB 526F 3181                   1FCF 51C4 B6CB 08CC 0897