|Description||The aim of this Workshop is to strengthen the Web of Trust by signing OpenPGP keys of other people and receiving signatures from others.|
|Language||de - German, en - English|
|Starts at||2013/12/29 06:30:00 PM|
|Ends at||2013/12/29 09:00:00 PM|
Important notice: Time and location has changed!
The aim of this Workshop is to strengthen the Web of Trust by signing OpenPGP keys of other people and receiving signatures from others.
Full description and details will follow
We will use the Zimmermann-Sassaman key-signing-protocol (Don't forget to bring your government-issued ID, with photo!)
Before the Party
Send me (firstname.lastname@example.org) an e-mail with your public key before Dec 28th 20:00. Later that evening you will receive a list with all keys. Please check the hashes of that list print it out and write down the hashes. Check also if the fingerprint of your key is correct. To make the Email small, you may use
gpg --export-options export-minimal -a --export KeyId.
During the Party
Everyone brings their own printout of the list I mailed you the day before. We will check the hashes at the beginning of the event. The list has two checkboxes for every key on it. Each participants verifies and state that their key is correct. You mark one checkbox on every key that is stated as correct. Once all keys are checked, we will form a line and show each other our government-issued ID. For every participant whose ID you check and find sufficiently authentic you mark the second checkbox of the corresponding key.
Important: You decide your own signing policy. Don't bother if your neighbour comes to another decision than you whether to trust the ID of a person or not. Some people have stronger requirements than others. But as a rule of thumb: Do not only check the photo of the ID, but also the name of the person. Data on the ID can vary widely depending on the type of the ID and the issuing country, so it's absolutely up to you which datas you want to check.
Datas you may find and want to check can include:
- Date of birth (ask the person and check on the ID)
- Eye color
- Expiration date
- Security features (look here for the security features of the german Personalausweis and here for other identity documents from many european countries)
After the Party
The signing itself you do at home, on your own secure computer.
Questions that arose
How do I create a GPG key?
There are good tutorials on the web. A good starting point is here: http://www.gnupg.org/documentation/howtos.html
Will you sign a pseudonym?
I, personally speaking, will not, but maybe some others will. Most people I know won't sign pseudonyms either. The whole thing about signing is, that you testify that a person is who he/her claims to be. And thats hard to prove for pseudonyms. So if your pseudonym is not written in your government-issued ID (like it's possible in Germany for artists and clerics), it's unlikely that your key will be signed.
How will the list look exactly?
The list will have a header, with fields to fill in the checksums and then for every participants a section as shown below:
001 [ ] Fingerprint OK [ ] ID OK pub 2048R/48708D86 2013-06-27 [expires: 2016-06-26] Key fingerprint = F7C0 09A1 9C66 D991 C3EB 8D05 5F90 6FB0 4870 8D86 uid John Doe <email@example.com>
You can see a consecutive number, two checkfields for Fingerprint and ID, the key ID, creation date and expiration date (if any), the fingerprint and a list of the associated uids.
Can I Print the List on an untrusted printer?
Yes, it's okay to print your version of the list on any printer. You don't have to trust the printed list to make sure that the protocol is secure. It's merely a convenient notepad. You only have to trust the digital copy of the list I will have sent to you. We'll check the integrity of the list at the beginning of the meeting (Via the checksums).
You mark on the list:
- if the persons stated that her/his key is correct, and
- if you trust the presented ID of that person
When you sign the keys on your computer, you check that the fingerprint of each key correspond to the fingerprint presented on the list. If you don't trust the printed version, you could use the digital version for this check.