Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Meeting: Friday, 27th July, 2001

On Mon Jul 23, 2001 at 23:37:46 +1000, Jeff Waugh wrote:
>Keysigning Party
>   We'll be following a keysigning guide written by some of the
>   PGP Users mailing list subscribers - Jamie and Craige will be
>   following up with further notes and instructions before Friday.

They sure will!

    * What exactly is a key signing party?

    A key signing party is a get-together of people who use the PGP
    encryption system with the purpose of allowing those people to 
    sign each others keys.  Key signing parties serve to extend the 
    web of trust to a great degree.

We're going to more-or-less follow the method described at

Ideally, everyone will have a GPG/PGP key they'd like to get the rest of
SLUG to sign, but we know this is not the case.  So to avoid having bored
SLUGgers sitting around waiting for dinner, we're going to show you how to

Stage One. 

You will need to create for yourself a public and private key pair.
The GNU Privacy Handbook is very comprehensive on this, if you go to 
http://www.gnupg.org/gph/en/manual.html#INTRO you can follow the
instructions there; for the RTFM-challenged, here's a quick
take-my-word-for-it-it-works guide for the rank newbie:

- Install gpg. "apt-get install gpg" for the fortunate.
- Run: gpg --gen-key ; gpg --gen-key
- Select Option 1,
- Then take the default (1024) unless you want higher
- Select expirey (0 is the most common), then confirm
- Type in your real name (check drivers license if unsure)
- A valid email address
- You can leave the comment field blank, if you wish
- Make any corrections or press O to confirm
- Enter a passphrase, re-enter passphrase
- GPG will now gernate random numbers, follow it's suggestions
  (doing "find /" a few time on the CLI will help this along)

  You should see at the end a nice message like:

  public and secret key created and signed.

During the generation stage, it can be ideal to open a few spare xterms (or
new vts) and update your locate database, run 'cat' and type gibberish for a
bit, move the mouse, or anything that may add entropy to /dev/random.  The
linux kernel uses things like load, disk activity, and interrupts to make
the random device behave more like it is truly random -- this is a Good
Thing for cryptography.

I would also suggest generating a revocation certificate for your new key,
the instructions for doing so are at

Upload your key to the keyserver network so that everyone can use it by
running the command
gpg --keyserver wwwkeys.eu.pgp.net --send-key your@email.address

Stage Two.

So now you have a key generated, what do you do?

The next step is telling me some details about your key, so that I can
compile a list of everyones details for the meeting.

Visit http://spacepants.org/slug/keysign.html and enter all your details
into the textboxes.  To find out all of the details, run the following

willow% gpg --fingerprint your@email.address
pub  1024D/2CFD1C38 2001-05-29 Jamie Wilkinson (Head Network Plumber and 
                               Cat Wrangler) <jaq@xxxxxxxxxxxxxxx>
     Key fingerprint = F229 6392 EC63 C9A7 F5B0  E809 E6EF 6837 2CFD 1C38
uid                            Jamie Wilkinson (Jaq) <jaq@xxxxxxxxxxxxxx>
sub  1024g/036F969C 2001-05-29

This tells me that my Key Size is 1024, the Key ID is 0x2CFD1C38, and the
fingerprint is F229 6392 EC63 C9A7 F5B0  E809 E6EF 6837 2CFD 1C38.  Enter
these along with your name and email address into the form.  Unless I am
mistaken, the 'D' after the 1024 means DSS, the 'g' in the 'sub' line means
Eigamal -- both forms of encryption.  If you have an RSA key, you probably
know about it already, so change the key type in the form, otherwise leave
it as DH/DSS.

Then run 'gpg --export -a your@email.address', and what is known as the 
ASCII-armoured version of your public key is dumped to the console.  Clag,
er, paste this into the large textbox at the bottom of the form.

Once all the fields are filled, double-check them and click Send.

Stage Three.

Show up to the SLUG Meeting this Friday, and learn all about security
courtesy of Rebecca.  Make sure you bring:

 * Yourself
 * A copy of your Key ID, Key Size, Fingerprint and Key Type.  Only bring
   the one copy (you will see why in a moment).
 * Some positive photo ID.  A passport, drivers license, 18+ card, etc, 
   with the same name as your key on it will suffice.
 * A writing implement of some description.

The actual party will run as follows:

- Everyone participating will receive a listing containing everyones key
  details (see, this is why we got you to fill in the form above).  There
  will be columns for Key ID, Key Owner, Fingerprint, Size and Type, and 2
  extra columns -- Key Info OK and ID Check OK.

- Each participant should check that their details are correct, to make sure
  that I haven't a) made an error or b) tried to sabotage your keys.

- Each participant will then be called on in turn to read out their own copy
  of their name, Key ID, Fingerprint, Size and Type -- FROM THE COPY THAT
  YOU BROUGHT TO THE MEETING.  If the details read out and the details on
  the page match, then everyone else may tick the Key Info OK box on the
  details sheet.

- Once everyone has read out their key, we can begin the ID Check stage.  
  We will form a queue down the aisle and out the door if necessary.  The
  person at the top of the queue walks down the line and shows each person
  their ID.  If you are happy with their ID, then you put a tick in the ID
  Check OK field for that person.  That person joins the end of the queue,
  and the next person can get their ID checked.

- Once a key has got a tick in both the Key Info OK and the ID Check OK
  fields, it can be signed.  Put your details sheet away safely, and make
  your way to dinner.

Stage Four.

Ok, so you've got home, you're a bit tipsy, and your belly is full of boiled
television entrails, what do you do?  Probably go to sleep.

In the morning, (or afternoon, depending on how late you got home, Jeff)
load up http://people.debian.org/~ljlane/?keysign in your favourite browser.
You will now go through the list of keys and sign all the ones that you
ticked both columns for.

For each key you ticked twice, run the command
    gpg --keyserver wwwkeys.eu.pgp.net --recv-keys KeyID
I think you all can work out what KeyID is.  This will get the key of the
person you are about to sign from the keyserver, which everyone will have
uploaded earlier :)

Next, check the fingerprint of the key you're about to sign.
    gpg --fingerprint username
    gpg --fingerprint KeyID
If the fingerprint shown doesn't match the one you've got on your details
sheet, then don't sign it -- but if it does, then you can run
    gpg --sign-key KeyID

Once you've downloaded, checked, and signed everyone on the list, you can
either upload the new signed key back to the keyserver, or the signed key
back to the owner:

gpg --export --armor KeyID > user.asc
mutt -a user.asc -s "your signed key" user@host.domain

Uploading all the keys at once to the keyserver:
gpg --list-keys --with-colons | grep ^pub | cut -d: -f5 | \
xargs gpg --keyserver wwwkeys.eu.pgp.net --send-keys

If you are mailed your key, save the attachment, and run the following:
gpg --import filename_saved_as.asc
and GPG will import the signature into your public key.

And that's about it!

So, in summary:
1. Generate A Key Pair
2. Send Public Key To Designated Keyserver (or Coordinator)
3. Send Public Key Info To Coordinator
4. Show Up At The Party
5. Verify Your Info At The Party
6. Verify Everyone Else's Info + ID At The Party
7. Sign All The Verified Keys
8. Send The Signed Keys Back Up To The Designated
   Keyserver (or the key owner)

And don't forget to bring ID and your Key Info to the meeting.

For reference:

The GNU Privacy Handbook

Keysigning Parties

The GPG Key Signing Party HOWTO

How not to look lost at a key-signing

gpg, after the party

SLUG Keysigning Party

>See you there!

I hope so!

jaq@xxxxxxxxxxxxxx                        http://spacepants.org/jaq.gpg
<Balial> This port may thing it's fortified, butt I seem to be mounting
a pretty good assault

Attachment: pgp3KOlvwjl7e.pgp
Description: PGP signature