[UFO Chicago] TNIUCNAKPAG
Mon, 20 May 2002 20:30:14 -0500
funny you should ask, ian...
that's right folks,
Thursday night is ufo chicago night *and keysigning party* at
yup, my stupid pgp key has 5 dumb signatures on it and i want to
expand my web of trust. am i foolhardy to trust you goons? probably,
but let's do it anyway.
If you guys have a better protocol, do suggest it, but i propose the
following ( stolen from wil andrews's notes for a purdue keysigning )
*** PGP/GPG SIGNING PARTY 23 May, george's diner ***
What everyone needs to do is the following:
1) Generate a GPG key (if you do not have one already). This is
as simple as:
% gpg --gen-key
and following instructions. People will want to pick the
DSA/ElGamal algorithm and as large as keysize as they can
(2048 bit is good). Key expiration is up to you: I suggest
two to five years. The longer the passphrase, the better.
While GPG generates the key, the more random bits it can
obtain from /dev/random, the better. Most Unix operating
systems harvest randomness from i/o devices like NICs, mice,
sound cards, and keyboards.
2) Send your GPG key to pgp.mit.edu like this:
% gpg --keyserver pgp.mit.edu --send-key YOUR_KEY_ID
3) Send me an email (firstname.lastname@example.org) with the following
a. Your name and email address as listed in your key.
b. Your key ID (YOUR_KEY_ID above).
c. Your key size and algorithm.
d. Your key fingerprint.
This can be done easily by running:
gpg --fingerprint YOUR_KEY_ID | mail email@example.com
(also note that gpg accepts any part of your email address or
name info in your key as a YOUR_KEY_ID)
4) The key signing party will be at george's
I will ask people to pick up a sheet of paper (or two) that
lists everyone's data as above, plus a space to checkmark
that they've identified correctly the information you have.
Everyone needs to bring with yourself to the installfest a
piece of scrap paper with your key information on it (in
case I somehow mess it up or someone else does or something)
as well as valid ID. Valid ID (by my definition at least,
others may accept other types of ID) means driver's license
or passport from your country of origin. Please note:
student id cards aren't good enough. :-)
Please note: Do *NOT* bring a computer with your gpg key on
it! You will use the sheet of paper(s) that I give you to
verify others' identities and match their GPG keys.
You MUST bring along your id AND your key id and fingerprint
on a piece of paper.
This allows for the out of band verification that the gpg
data that you gave to me via insecure email made it
successfully onto the sheet of paper correctly.
So, I suggest that you also do something like:
gpg --fingerprint YOUR_KEY_ID | lpr
Or manually write it down.
5) When you get home, sign everyone's keys like so:
% gpg --keyserver pgp.mit.edu --recv-keys KEY_ID
% gpg --sign-key KEY_ID
% gpg --keyserver pgp.mit.edu --send-key KEY_ID
Perform this for each key that you verified at the
Details on how this works can be found at:
Rob Latham Woodridge, IL USA
EAE8 DE90 85BB 526F 3181 1FCF 51C4 B6CB 08CC 0897