PGP Keysigning
From 25C3 Public Wiki
Contents |
[edit] Preparation
If you do not have a key yet then create a key:
$ gpg --gen-key
You will receive a key with a key id, eg "123456789".
Upload that key to a keyserver:
$ gpg --keyserver wwwkeys.nl.pgp.net --send-key $MYID
Add the fingerprint of your key to the list below.
$ gpg --fingerprint $MYID
[edit] Signing
An easy way to sign many Keys quickly is by using the following bash script
#!/bin/sh gpg --keyserver pgp.mit.edu --recv-key $1 gpg --keyserver keyserver.pgp.com --recv-key $1 gpg --keyserver wwwkeys.nl.pgp.net --recv-key $1 gpg --sign-key $1
It queries 3 commonly used keyservers for the given key and then tries to sign it.
[edit] Key List
This list is closed, the official key list is at http://www.elho.net/crypto/ksp/ksp-25C3.txt. You can fetch the official list savely by running the following commands:
$ wget http://www.elho.net/crypto/ksp/ksp-25C3.txt && gpg --print-mds ksp-25C3.txt
The original list has a MD5 starting with 4A 2C and a SHA1 starting with 0629. If your list is different, then something went wrong.
[edit] When and where?
Day 3 in the Meeting room C04 at 15:45. See Workshops for details. Feel free to call 6999(User:rdi) if something goes wrong.
[edit] Items
Things to bring to the party:
- ID or Passport
- Printout of Key List
- Data Sums (MD5, SHA1, SHA256)
- A Pen
You need a valid ID or passport, the fingerprint of your PGP/GPG Key, and yourself. Also a printed copy of the list above is necessary.
And if this all should take place again outside then you should have enough clothing on you (hat, shawl, gloves), and maybe something hot to drink. You definitely need some time for this, so just forget about going away during the process. :-P
[edit] Performance
[edit] Planned performance
Fetch the published list. You can use
$ wget http://www.elho.net/crypto/ksp/ksp-25C3.txt && gpg --print-mds ksp-25C3.txt
to fetch the list and calculate the checksum. We use the MD5 and SHA1 checksums to compare the lists. Then compare the data of your key with the data in list.txt. Bring a copy of this list with the calculated checksums to the party.
If you can't use wget to fetch the list use the "save link target as" function of your browser to store the keylist on your computer, to avoid problems like character set conversion or line end conversion. Do not copy the list into the clipboard and paste it in a text file, this will cause problems. Please the checksums of this file to get sure there was no accidential change to the file.
On the party one of the participants reads the checksums of the list, while the other participants compare the checksums with their own copy. After the checksum of the whole list is kompared (and matches), the participants names are read out, and each participant who is present will answer whether the fingerprint of his key on the list is correct or not. The other participiants check the [ ] Fingerprint OK box accordingly. Once the checking of the fingerprints is done for the whole list, we will line up in two rows facing each other accoring to their number in the list. E.g. 10 participants would stand like this:
1 2 3 4 5 10 9 8 7 6
The participants in the upper row will present their ID or passport to those in the lower row. When the person matches the ID, the participants in the lower row check the corresponding [ ] ID OK box. Next the rows rotate in a chain like motion and the procedure repeats, ie. the participants would now stand like this:
2 3 4 5 6 1 10 9 8 7
It is important that those in the upper row only present their ID and those in the lower row only check them, to avoid unnecessary waste of time by switching between list/pen and ID documents. Once a full rotation is completed, ie. the original constallation is reached again, everyone has both presented his ID to everyone else and checked the ID of everyone else and thus the meeting is over.
[edit] Backup strategy
The participants read their keys from their own documents (because there can be an error in the public list) to all or share stripes to each other and line up in the order, like in the planned performance. The checking of the keys goes like the planned performance.
[edit] Afterwards
After the meeting you sign the keys where you have both [ ] Fingerprint OK and [ ] ID OK boxes checked. You may send the signed key to each mail adress in the key in order to verify if the key owner is also the owner of this mailbox.
There is also software to automate this process out there, like caff (http://pgp-tools.alioth.debian.org/).
See also http://www.w4kwh.org/?page_id=6 for details.
[edit] Unregistered People
If you have not registered yourself in time for the Key Signing then you can still take part. However, you must have enough printouts of your key fingerprint to give them to all the other participants, and you must get line at the very end.
[edit] FAQ
- Q: Is there a deadline for the key list? So everyone knows when the list is complete and it's time to print them out?
- A: The deadline is Thu Dec 25 23:59:59UTC.
- Q: What are the checksums good for and how should they be generated?
- A: The official list (http://www.elho.net/crypto/ksp/ksp-25C3.txt) will not be changed anymore. Section "planned performance" describes one way to fetch the list and calculate the checksums. The checksums are used to compare the lists of each participiant without to check every single char in the list. This check is short cut by a simple comparison of the checksums which each participant calculated, and if these checksums matches, the lists are the same (ok, there is a chance to get inputs which lead to equal output of the hash function, but the probability to hit such a case is sufficient low to not worry about See also [1]).
- Q: Who is responsible for the party?
- A: Rdi, Dect 6999
- Q: When and Where?
- A: Day 3 in the Meeting room C04 at 15:45. See Workshops for details.
- Q: Is there also a CAcert booth?
- A: Not this year, but there are several assurers around for meetings and it is also suggested to meet each other at the keysigningparty itself for assurances. For more infos look HERE.