KeySigningParty2013: Difference between revisions

From QEMU
No edit summary
Line 13: Line 13:
=== Required Items ===
=== Required Items ===


  * Physical attendance
* Physical attendance
  * Positive picture ID
* Positive picture ID
  * Your Key ID, Key type, HEX fingerprint, and Key size
* Your Key ID, Key type, HEX fingerprint, and Key size
  * A pen/pencil or whatever you'd like to write with....
* A pen/pencil or whatever you'd like to write with....
  * NO computer  
* NO computer  


=== Required Process ===
=== Required Process ===


  * Generate a key/Remember your pass phrase
* Generate a key/Remember your pass phrase
  * All attendees send their public keys to a public keyserver. For this party, we'll use keyserver.cryptnet.net. If for some reason you don't want your key to be in a public keyserver, but still want to participate, please let me know.
* All attendees send their public keys to a public keyserver. For this party, we'll use keyserver.cryptnet.net. If for some reason you don't want your key to be in a public keyserver, but still want to participate, please let me know.
  * All attendees send their key ID, key type, fingerprint, and key size to the host, [mailto:anthony@codemonkey.ws|anthony@codemonkey.ws], who will compile everyone's key information.
* All attendees send their key ID, key type, fingerprint, and key size to the host, [mailto:anthony@codemonkey.ws|anthony@codemonkey.ws], who will compile everyone's key information.
  * The host prints a list with everyone's key ID, key type, fingerprint, and key size from the compiled keyrings and distributes copies of the printout at the meeting.
* The host prints a list with everyone's key ID, key type, fingerprint, and key size from the compiled keyrings and distributes copies of the printout at the meeting.
  * Attend the party. Bring along a paper copy of your key ID, key type, fingerprint, and key size that you obtained from your own keyring. You must also bring along a suitable photo ID. Instruct the attendees at the beginning that they are to make two marks on the listing, one for correct key information (key ID, key type, fingerprint, and key size) and one if the ID check is ok.
* Attend the party. Bring along a paper copy of your key ID, key type, fingerprint, and key size that you obtained from your own keyring. You must also bring along a suitable photo ID. Instruct the attendees at the beginning that they are to make two marks on the listing, one for correct key information (key ID, key type, fingerprint, and key size) and one if the ID check is ok.
  * At the meeting each key owner reads his key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID's to sign or not. If the key information matches your printout then place a check-mark by the key.
* At the meeting each key owner reads his key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID's to sign or not. If the key information matches your printout then place a check-mark by the key.
  * After everyone has read his key ID information, have all attendees form a line.
* After everyone has read his key ID information, have all attendees form a line.
  * The first person walks down the line having every person check his ID.
* The first person walks down the line having every person check his ID.
  * The second person follows immediately behind the first person and so on.
* The second person follows immediately behind the first person and so on.
  * If you are satisfied that the person is who they say they are, and that the key on the printout is theirs, you place another check-mark next to their key on your printout.
* If you are satisfied that the person is who they say they are, and that the key on the printout is theirs, you place another check-mark next to their key on your printout.
  * Once the first person cycles back around to the front of the line he has checked all the other IDs and his ID has been checked by all others.
* Once the first person cycles back around to the front of the line he has checked all the other IDs and his ID has been checked by all others.
  * After everybody has identified himself or herself the formal part of the meeting is over. You are free to leave or to stay and discuss matters of PGP and privacy (or anything else) with fellow PGP users. If everyone is punctual the formal part of the evening should take less than an hour.
* After everybody has identified himself or herself the formal part of the meeting is over. You are free to leave or to stay and discuss matters of PGP and privacy (or anything else) with fellow PGP users. If everyone is punctual the formal part of the evening should take less than an hour.
  * After confirming that the key information on the key server matches the printout that you have checked, sign the appropriate keys. Keys can only be signed if they have two check-marks.
* After confirming that the key information on the key server matches the printout that you have checked, sign the appropriate keys. Keys can only be signed if they have two check-marks.
  * Send the signed keys back to the keyservers.
* Send the signed keys back to the keyservers.
  * Use those keys as often as possible.  
* Use those keys as often as possible.  


== Why shouldn't I bring a computer? ==
== Why shouldn't I bring a computer? ==
Line 41: Line 41:
There are a variety of reasons, why you don't want to do this. The short answer is it would be insecure, unsafe, and of no benefit. For those not convinced, here are some reasons why it is insecure, unsafe, and of no benefit.
There are a variety of reasons, why you don't want to do this. The short answer is it would be insecure, unsafe, and of no benefit. For those not convinced, here are some reasons why it is insecure, unsafe, and of no benefit.


  * Someone might have modified the computers programs, operating system, or hardware to steal or modify keys.
* Someone might have modified the computers programs, operating system, or hardware to steal or modify keys.
  * If people are swapping disks with their keys on them the computer owner has to worry about viruses.
* If people are swapping disks with their keys on them the computer owner has to worry about viruses.
  * If people are carrying their secret keys with them and intend to do the signing at the actual meeting by typing their passphrase into a computer, then they are open to key-logging attacks, shoulder-surfing, etc.
* If people are carrying their secret keys with them and intend to do the signing at the actual meeting by typing their passphrase into a computer, then they are open to key-logging attacks, shoulder-surfing, etc.
  * It is much better to just exchange key details and verify ID and then do the signing when you get home to your own trusted computer.
* It is much better to just exchange key details and verify ID and then do the signing when you get home to your own trusted computer.
  * Someone might spill beer on it.
* Someone might spill beer on it.
  * Someone might drop it or knock it off the table.
* Someone might drop it or knock it off the table.
  * More reasons, I don't feel like articulating  
* More reasons, I don't feel like articulating  


== Other questions about signing keys? ==
== Other questions about signing keys? ==
Line 55: Line 55:
If you're looking for quick answers you may want to look to the questions and answers below, which all come from the [http://www.uk.pgp.net/pgpnet/pgp-faq/|PGP FAQ]. It also has a lot of other good information, besides what is linked to below.
If you're looking for quick answers you may want to look to the questions and answers below, which all come from the [http://www.uk.pgp.net/pgpnet/pgp-faq/|PGP FAQ]. It also has a lot of other good information, besides what is linked to below.


  * [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.1|What is key signing?]
* [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.1|What is key signing?]
  * [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.2|How do I sign a key?]
* [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.2|How do I sign a key?]
  * [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.3|Should I sign my own key?]
* [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.3|Should I sign my own key?]
  * [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.4|Should I sign X's key?]
* [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.4|Should I sign X's key?]
  * [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.5|How do I verify someone's identity?]
* [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.5|How do I verify someone's identity?]
  * [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.6|How do I know someone hasn't sent me a bogus key to sign?]
* [http://www.uk.pgp.net/pgpnet/pgp-faq/faq-06.html#6.6|How do I know someone hasn't sent me a bogus key to sign?]


== Other useful PGP links ==
== Other useful PGP links ==
Line 66: Line 66:
A few more links for PGP newbies, or those who wish to re acquaint themselves.
A few more links for PGP newbies, or those who wish to re acquaint themselves.


  * http://www.pgpi.org/ -- The International PGP Home Page
* http://www.pgpi.org/ -- The International PGP Home Page
  * http://www.pgpi.org/download/ -- Download PGP
* http://www.pgpi.org/download/ -- Download PGP
  * http://www.gnupg.org/ -- GNU PGP (Linux)
* http://www.gnupg.org/ -- GNU PGP (Linux)
  * http://www.pgpi.org/products/tools/search/ -- PGP Tools, Shells, and Plugins  
* http://www.pgpi.org/products/tools/search/ -- PGP Tools, Shells, and Plugins  


== What if I still have a question? ==
== What if I still have a question? ==


If you'd like some help answering it, you can contact the event coordinator, Anthony Liguori via email at [mailto:anthony@codemonkey.ws|anthony@codemonkey.ws].
If you'd like some help answering it, you can contact the event coordinator, Anthony Liguori via email at [mailto:anthony@codemonkey.ws|anthony@codemonkey.ws].

Revision as of 12:39, 24 July 2013

Where?

KVM Forum 2013

When?

Day/Room TBD

What's a key-signing party?

A key-signing party is a get-together with PGP users for the purpose of meeting other PGP users and signing each other's keys. This helps to extend the "web of trust" to a great degree. Also, it sometimes serves as a forum to discuss strong cryptography and related issues.

What do I need for this party?

Required Items

  • Physical attendance
  • Positive picture ID
  • Your Key ID, Key type, HEX fingerprint, and Key size
  • A pen/pencil or whatever you'd like to write with....
  • NO computer

Required Process

  • Generate a key/Remember your pass phrase
  • All attendees send their public keys to a public keyserver. For this party, we'll use keyserver.cryptnet.net. If for some reason you don't want your key to be in a public keyserver, but still want to participate, please let me know.
  • All attendees send their key ID, key type, fingerprint, and key size to the host, [1], who will compile everyone's key information.
  • The host prints a list with everyone's key ID, key type, fingerprint, and key size from the compiled keyrings and distributes copies of the printout at the meeting.
  • Attend the party. Bring along a paper copy of your key ID, key type, fingerprint, and key size that you obtained from your own keyring. You must also bring along a suitable photo ID. Instruct the attendees at the beginning that they are to make two marks on the listing, one for correct key information (key ID, key type, fingerprint, and key size) and one if the ID check is ok.
  • At the meeting each key owner reads his key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID's to sign or not. If the key information matches your printout then place a check-mark by the key.
  • After everyone has read his key ID information, have all attendees form a line.
  • The first person walks down the line having every person check his ID.
  • The second person follows immediately behind the first person and so on.
  • If you are satisfied that the person is who they say they are, and that the key on the printout is theirs, you place another check-mark next to their key on your printout.
  • Once the first person cycles back around to the front of the line he has checked all the other IDs and his ID has been checked by all others.
  • After everybody has identified himself or herself the formal part of the meeting is over. You are free to leave or to stay and discuss matters of PGP and privacy (or anything else) with fellow PGP users. If everyone is punctual the formal part of the evening should take less than an hour.
  • After confirming that the key information on the key server matches the printout that you have checked, sign the appropriate keys. Keys can only be signed if they have two check-marks.
  • Send the signed keys back to the keyservers.
  • Use those keys as often as possible.

Why shouldn't I bring a computer?

There are a variety of reasons, why you don't want to do this. The short answer is it would be insecure, unsafe, and of no benefit. For those not convinced, here are some reasons why it is insecure, unsafe, and of no benefit.

  • Someone might have modified the computers programs, operating system, or hardware to steal or modify keys.
  • If people are swapping disks with their keys on them the computer owner has to worry about viruses.
  • If people are carrying their secret keys with them and intend to do the signing at the actual meeting by typing their passphrase into a computer, then they are open to key-logging attacks, shoulder-surfing, etc.
  • It is much better to just exchange key details and verify ID and then do the signing when you get home to your own trusted computer.
  • Someone might spill beer on it.
  • Someone might drop it or knock it off the table.
  • More reasons, I don't feel like articulating

Other questions about signing keys?

You may want to read the Party Howto which includes an explanation of the concepts behind keysigning, instructions for hosting a keysigning party, instructions for participating in a keysinging party, and step by step instructions for signing other's keys.

If you're looking for quick answers you may want to look to the questions and answers below, which all come from the FAQ. It also has a lot of other good information, besides what is linked to below.

Other useful PGP links

A few more links for PGP newbies, or those who wish to re acquaint themselves.

What if I still have a question?

If you'd like some help answering it, you can contact the event coordinator, Anthony Liguori via email at [2].