Keysigning Party

From 31C3_Public_Wiki
Jump to: navigation, search

Description The aim of this Workshop is to strengthen the Web of Trust by signing OpenPGP keys of other people and receiving signatures from others.
Website(s)
Type Meeting
Kids session No
Keyword(s) social
Tags Keysigning, PGP
Processing assembly Nordige Nerds
Person organizing Th
Language de - German, en - English
de - German, en - English
Other sessions...

refresh

Starts at 2014/12/28 18:00
Ends at 2014/12/28 22:00
Duration 240 minutes
Location Hall C

The aim of this Workshop is to strengthen the Web of Trust by signing OpenPGP keys of other people and receiving signatures from others.


We will use the [https://en.wikipedia.org/wiki/Zimmermann%E2%80%93Sassaman_key-signing_protocol Zimmermann-Sassaman key-signing-protocol] (Don't forget to bring your government-issued ID, with photo!)


Before the Party

Send me (timhaga@ebene6.org) an e-mail with your public key before Dec 23rd 20:00. Later that evening you will receive a list with all keys. Please check the hashes of that list print it out and write down the hashes. Check also if the fingerprint of your key is correct. To make the Email small, you may use gpg --export-options export-minimal -a --export KeyId.

Notice: Due to the lack of printers on the congress in the last years, the deadline for sending me your public key is Dec 23rd, 20:00 UTC+1. I will send the list a few hours later. This allows everyone to print the list at home before travelling to Hamburg.

During the Party

Everyone brings their own printout of the list I mailed you before. We will check the hashes at the beginning of the event. The list has two checkboxes for every key on it. Each participants verifies and state that their key is correct. You mark one checkbox on every key that is stated as correct. Once all keys are checked, we will form a line and show each other our government-issued ID. For every participant whose ID you check and find sufficiently authentic you mark the second checkbox of the corresponding key.

Important: You decide your own signing policy. Don't bother if your neighbour comes to another decision than you whether to trust the ID of a person or not. Some people have stronger requirements than others. But as a rule of thumb: Do not only check the photo of the ID, but also the name of the person. Data on the ID can vary widely depending on the type of the ID and the issuing country, so it's absolutely up to you which datas you want to check.

Datas you may find and want to check can include:

  • Date of birth (ask the person and check on the ID)
  • Eye color
  • Height
  • Expiration date
  • Security features (look here for the

[http://www.personalausweisportal.de/SharedDocs/Downloads/EN/Flyers-and-Brochures/Flyer_security_features_nPA.pdf?__blob=publicationFile security features of the german Personalausweis] and here for [http://prado.consilium.europa.eu/en/searchbyissuingcountry.html other identity documents from many european countries])

After the Party

The signing itself you do at home, on your own secure computer.


Questions that arose

Damn, I just heard about the Signing Party after the deadline. How can I participate?

Just write me an email. I'll send you the keylist, which you can print out and bring to the party. This enables you to sign other keys. If you bring paper strips with your key information gpg --list-key --fingerprint --list-options no-show-uid-validity <yourKeyID> we could queue you at the end of the row and you can get your keys signed. If there are too many people which are not on the list, we maybe split the signing party into to parts. One for the people on the list, and one for all others. We have 60 Keys on the list, so I expect that this round should be finished in less than 90 minutes. We have booked the hall for 4 hours, so theres plenty of time.

My version of gpgsigs won't work with your list formatting. What can I do?

I used gpg 2.1 and the latest version of the signing party package, i.e the latest svn revision of the repository of the maintainer (svn://svn.debian.org/pgp-tools/trunk). If you're using debian stable, than your version is terribly outdated. You should use the version from unstable. It should suffice to copy the gpgsigs binary. Otherwise Peter Lebbing told me, that cat ksp-31c3.txt|sed 's/rsa\([0-9]\{4\}\)/\1R/; s/dsa\([0-9]\{4\}\)/\1D/' > ksp-31c3-fixed.txt should work also, but then the fingerprint gpgsigs computes is faulty, because you changed the file.

How do I create a GPG key?

There are good tutorials on the web. A good starting point is here: http://www.gnupg.org/documentation/howtos.html

Will you sign a pseudonym?

I, personally speaking, will not, but maybe some others will. Most people I know won't sign pseudonyms either. The whole thing about signing is, that you testify that a person is who he/her claims to be. And thats hard to prove for pseudonyms. So if your pseudonym is not written in your government-issued ID (like it's possible in Germany for artists and clerics), it's unlikely that your key will be signed.

How will the list look exactly?

The list will have a header, with fields to fill in the checksums and then for every participants a section as shown below:

 001  [ ] Fingerprint OK        [ ] ID OK
 pub   2048R/48708D86 2013-06-27 [expires: 2016-06-26]
   Key fingerprint = F7C0 09A1 9C66 D991 C3EB  8D05 5F90 6FB0 4870 8D86
 uid                  John Doe <john.doe@example.org>

You can see a consecutive number, two checkfields for Fingerprint and ID, the key ID, creation date and expiration date (if any), the fingerprint and a list of the associated uids.

Can I Print the List on an untrusted printer?

Yes, it's okay to print your version of the list on any printer. You don't have to trust the printed list to make sure that the protocol is secure. It's merely a convenient notepad. You only have to trust the digital copy of the list I will have sent to you. We'll check the integrity of the list at the beginning of the meeting (Via the checksums).

You mark on the list:

  • if the persons stated that her/his key is correct, and
  • if you trust the presented ID of that person

When you sign the keys on your computer, you check that the fingerprint of each key correspond to the fingerprint presented on the list. If you don't trust the printed version, you could use the digital version for this check.