From 27C3 public wiki

Jump to: navigation, search

Keysigning

There will be a KEYSIGNING again. Please use the discussion page for any questions. (or call me at 9877) All registered attendees have received/will receive an Email tonight. This email will contain all further instructions.

Contents

Date and Place

We will meet on December 30th - that is day 4 - at 15:00 in front of the Himmel (were the angels are, behind the hackcenter in the basement). We then may proceed into a room, if one is free.

The List of participants

You should try to get a printout of the list of participants or have enought power left in your laptop battery to make changes in the list during the KSP. I will try to bring some printouts too. When you get one of my copies you have to compare the fingerprints and uid's on the printout I give you with the actual file later.

What will happen on the 30th of December

  • I will hopefully get a room (the first time 300 people standing outside in the cold in front of the bcc should be the only time.)
  • We will compare the checksum of the list of participants to make sure every attendee has received the same file by email.
  • We then ask all registered participants if they are present. You will mark this on your list.
  • We then show each other our ID-cards by standing in a row in the order given by the list of participants. Thats the second thing you may make a mark for on the list.

The Party is over - what happens now?

In short: After we met and noted on our list who attendet, who said the fingerprint is okay and we checked the ID cards we sign the keys at home.

Questions during the KSP

One word on ID-cards: The key concept of the web of trust is, that many people check the identity of the persons attending a keysigning party - that means other people trust you to carefully check the validity of the presented ID-cards. Usually one should only accept official cards made by authorities.

Another question raised was on uids on keys that only include a nickname or a firstname. It is totally okay to sign these uids under I think two circumstances. If you know that this person uses that nickname regulary because you know the person you can sign that key. I wouls for instance sign a key that fefe presents me, when the uid is only fefe. But when another person tries that I know tat person is not fefe and I would not sign the key. So that depends. It is more clear for uids that only contain the firstname of the person. When you sign that uid you basically say that this person has that firstname - and that is obviously clear when it is the real firstname. We all sign keys/uids that do not contain all firstnames of a person that is written on the id-card.

What to do at home

What I do know is I go through the list of participants and see who had more than one keys on it - so I don't miss one of the keys when signing. Also I strike out all other attendees on the list so I don't accidentally sign one of those.

Then I use a forked version of caff to sign the keys and send an encrypted email to all the uids on the keys I signed. This encrypted email will only contain the signature on that uid I send it to, thus it's made sure that the recipient has control over that email account and the key.

Also I do not import these signatures into my gpg-installation - thus when the person does not publish his key after he imported my signature not even I will have my own signature on this key in my keyring.

Another simple but insecure approach would be to just import the keyring I send via email, sign the keys of the attendees and upload them to the keyservers.

You will find a lot of howtos on the net. Thus I will not explain all the details here again ;)

Resources:

Retrieved from "http://events.ccc.de/congress/2010/wiki/Keysigning"
Archived page - Impressum/Datenschutz