PGP Keysigning

From 24C3 Public Wiki

Jump to: navigation, search
Project
Name PGP Keysigning
Coordinator Jeroen
Location Saal 2, Time: Day 3, 15:30-16:00
Contact

Contents

Key Submission Deadline

Key Submission Deadline: 2007-12-26 (Wednesday) 09:00 CET

See Keyring publication for more details.

What and why?

The basic idea of this page is to organize a big PGP key signing party at this year's congress.

The main intention of a keysigning is to improve your personal web of trust. When you create a PGP key, nobody knows if it really belongs to you. (You can create keys for any name you want.) Therefore people meet at keysignings and compare the data on a person's key with it's passport or any other official documents. If they believe that the key and the person belong to each other, they will sign your key. You should send the key with your signature to the owner, and you may upload it to a key server, too, to make this info public.

So you can improve the trust level of your key and you might get to know some interesting people.

What can I do to take part?

You should follow these steps:

  1. If you do not have a key, create it. Take look at the GPG-Mini-Howto
  2. Upload your public key to one of these key servers:
    • subkeys.pgp.net
    • random.sks.keyserver.penguin.de
  3. Add your key to the Biglumber Keyring for the Big Lumber Event - CCC Chaos Communication Congress 2007
  4. Check your key(s) on the list.
  5. Print out the list and create a SHA256 hash of it for quick verification.
  6. Take the list and your passport to the congress and enjoy the keysigning. :-)
  7. Optional, but heavily suggested: Drink a beer or have some other fun with the folks.
  8. Tick off the people you know and trust.
  9. Sign their keys. Debian/Ubuntu provide a 'signing-party' package with a 'caff' binary for helping out here. Thunderbird/Enigmail combo also have a handy interface.

How does the whole thing work?

We will meet at some yet to be worked out in time. There we will compare the SHA256-values that everyone has calculated for his own. If these values are all equal, everyone should have the same version of the list. Hereafter we create a long line. The first will go back alone the line, the ones behind will follow. This basically creates a long cycle of people. Everyone then checks the fingerprint and identity of the opposite person.

When you arrive at home and you recovered from the strains, sign all keys which you believe valid.

Keyring publication

The KeyRing on Biglumber will be stored a bit after the submission deadline. It will then be signed by key 0x333E7C23 (jeroen@unfix.org). A SHA256 hash will be calculated over the keyring + signature. The resulting SHA256 will also be signed so you can verify that the SHA256 is really the correct one. The signed KeyRing and signed SHA256 hash will then be published on the Discussion page.

I'll then proceed and print out a number of copies of this keyring in a nice format (verified,signed,keyid,uid,hash) so that everybody receives the same file and so that you have a copy which will avoid people not having them with them. As they are the same ticking off becomes easy. You will of course later have to compare the real list with the ticklist. This ticklist will also be published on the discussion page.

The Keysigning itself happens on Day 3 (2007-12-29) at the 15:00-16:00 break. Saal 2 / Lecture Room 2

Individual signings

As discussed on the Talk page of this article, some people are not in favor of large PGP Keysigning events. You can, of course, also try to grab a beer with those people, get to know them first and then ask them to sign your key. Some people prefer this, as PGP signings are done on a basis of trust. Ask yourself: Do you trust a passport and the issuer of that passport more than you trust the actual person?

Comments/Questions

Do not hesitate to send Jeroen Massar an email in case of questions about this.

See also

Images

There are fancy Web of Trust images rendered at: http://trac.cryptobitch.de/proj/wiki/2008/02/04-CCC-KSP-Results so you can see how it basically works and how good or how bad it is.

Keywords

gpg, gnupg, pgp

Personal tools
Archived page - Impressum/Datenschutz