Difference between revisions of "User:Midnightcomm/key signing party"
Midnightcomm (talk | contribs) |
Midnightcomm (talk | contribs) (→What to Bring) |
||
| (37 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | A '''key signing party''' is an event where people present their PGP-compatible keys to others in person. An individual's key is than digitally signed by the other attendees—only if they are confident that the key actually belongs to the person who claims ownership. This is usually done by comparing the individual's public key ''fingerprint,'' and photo ID (such as a drivers license or passport). | + | A '''key signing party''' is an event where people present their [http://en.wikipedia.org/wiki/Public-key_cryptography PGP-compatible keys] to others in person. An individual's key is than digitally signed by the other attendees—only if they are confident that the key actually belongs to the person who claims ownership. This verification is usually done by comparing the individual's public key ''fingerprint,'' and photo ID (such as a drivers license or passport). |
| − | == Bring == | + | :''Many of these operations may be performed with a user interface such as [http://en.wikipedia.org/wiki/Seahorse_(software) Seahorse] or [http://en.wikipedia.org/wiki/KGPG KGPG].'' |
| + | |||
| + | == What to Bring == | ||
| + | * Photo ID such as a drivers license and/or passport. | ||
| + | * [[#Print_key_Fingerprint|Printed copy]] of your key ID, and key fingerprint. | ||
* Pencil or Pen | * Pencil or Pen | ||
| − | * | + | * Clipboard (optional). |
| + | Please do not bring a computer to the party unless you need to. [http://www.rubin.ch/pgp/kspa/gpg-party.en.html#ss3.4 Why?] | ||
== Before the Party == | == Before the Party == | ||
| Line 17: | Line 22: | ||
=== Generate Key === | === Generate Key === | ||
| − | If you don't already have a GPG key one must be generated. | + | If you don't already have a GPG key, one must be generated. |
'''gpg --gen-key''' | '''gpg --gen-key''' | ||
| Line 29: | Line 34: | ||
| − | After confirming everything GnuPG will ask for a password. Now, GnuPG will generate a new key for you. Move your mouse around as GnuPG needs random data to work with. It's usually a good idea to produce a [http://www.gnupg.org/gph/en/manual/c14.html#REVOCATION revocation certificate] after making your new key. | + | After confirming everything, GnuPG will ask for a password. Now, GnuPG will generate a new key for you. Move your mouse around as GnuPG needs random data to work with. It's usually a good idea to produce a [http://www.gnupg.org/gph/en/manual/c14.html#REVOCATION revocation certificate] after making your new key. |
| + | |||
| + | === Print key Fingerprint === | ||
| + | ;Display key fingerprint | ||
| + | '''gpg --fingerprint''' ''example@localhost'' | ||
| + | |||
| + | |||
| + | Replace example@localhost with the email address you gave GnuPG earlier. If it looks okay (not several pages long), print the output and bring it with you on July 11, 2007. | ||
| + | |||
| + | |||
| + | ; Print key fingerprint onto paper | ||
| + | '''gpg --fingerprint''' ''example@localhost'' '''| lpr -o landscape''' | ||
| + | |||
| + | |||
| + | ;Example Output | ||
| + | pub 1024D/7A63CF54 2007-06-28 | ||
| + | Key fingerprint = 3553 89D7 8959 5663 41C9 4273 EB4D 7D03 7A63 CF54 | ||
| + | uid Test User <example@localhost> | ||
| + | sub 2048g/0CCBEF4B 2007-06-28 | ||
| + | |||
| + | === Email public key to coordinator === | ||
| + | I will be announcing the key signing party on the [http://lists.fdllug.org/mailman/listinfo/fdllug-list mailing list.] All public keys need to be sent in by July 9, 2007, 23:59 Chicago time. | ||
| + | |||
| + | Email me your public key (''public.key'') as an attachment. Type the following into a terminal window, replacing ''example@localhost'' with your email address. | ||
| + | |||
| + | '''gpg --armor --output public.key --export''' ''example@localhost'' | ||
| + | |||
| + | == During the Party == | ||
| + | Each person will receive a paper sheet listing the key fingerprint, name, and email address of the participants. | ||
| + | |||
| + | When your turn comes: | ||
| + | * State your name, and key ID (an eight digit hexdecimal number). | ||
| + | * Read your key fingerprint ''that you printed at home''. | ||
| + | |||
| + | Everyone else will indicate on their sheet that the fingerprints match. You will then walk past everyone else showing photo identification (such as a drivers license or pass port). If the other members are individually convinced that you are the correct person, they will indicate on their paper sheet that you have passed their ID check. | ||
| + | |||
| + | Return to the line and continue participating by verifying others on your sheet. | ||
| + | |||
| + | == After the Party == | ||
| + | :''Precise instructions with everyones key ID will be sent on the mailing list.'' | ||
| + | |||
| + | === Download Keys === | ||
| + | Download peoples keys from the key server ''subkeys.pgp.net''. | ||
| + | |||
| + | '''gpg --recv-key''' ''7A63CF54 ...'' | ||
| + | |||
| + | |||
| + | === Sign Keys === | ||
| + | Verify that the key fingerprint matches the one on your sheet. '''Only sign if the key fingerprints match''' and you are convinced the key belongs to who you think it does. | ||
| + | |||
| + | ;Sign the key: | ||
| + | |||
| + | '''gpg --sign-key''' ''7A63CF54'' | ||
| + | |||
| + | Repeat the last command with each user's key ID. | ||
| + | |||
| + | |||
| + | ;Example output | ||
| + | <!-- this was the first result on subkeys.pgp.net for 'fbi' --> | ||
| + | $ '''gpg --sign-key FC11E734''' | ||
| + | |||
| + | pub 1024D/FC11E734 created: 2007-06-18 expires: never usage: SC | ||
| + | trust: unknown validity: unknown | ||
| + | sub 2048g/DE2D1695 created: 2007-06-18 expires: never usage: E | ||
| + | [ unknown] (1). Michael J. Troutman <[email protected]> | ||
| + | |||
| + | |||
| + | pub 1024D/FC11E734 created: 2007-06-18 expires: never usage: SC | ||
| + | trust: unknown validity: unknown | ||
| + | Primary key fingerprint: 21FE 6AD5 4376 2945 4C07 40AC 64A7 614B FC11 E734 | ||
| + | |||
| + | Michael J. Troutman <[email protected]> | ||
| + | |||
| + | Are you sure that you want to sign this key with your | ||
| + | key "Test User <example@localhost>" (7A63CF54) | ||
| + | |||
| + | Really sign? (y/N) '''y''' | ||
| + | |||
| + | === Send to key server === | ||
| + | Send the newly signed keys to the public key server: | ||
| + | |||
| + | '''gpg --send-keys''' ''7A63CF54 ...'' | ||
| + | |||
| + | === Sync === | ||
| + | |||
| + | After about a week, refresh your GnuPG key-chain to see everyone else's signatures. | ||
| + | |||
| + | '''gpg --refresh-keys''' | ||
| + | |||
| + | == See also == | ||
| + | * [[User:Midnightcomm/PGP-2007-07-11|PGP talk links and resources]] from July 11, 2007 | ||
| + | |||
| + | == External links == | ||
| + | * [http://linuxreviews.org/howtos/gnupg/signingparty/ GPG Keysigning Party HOWTO] | ||
| + | * [http://sion.quickie.net/keysigning.txt Efficient Group Key Signing Method]— Len Sassaman and Phil Zimmermann | ||
Latest revision as of 17:58, 10 July 2007
A key signing party is an event where people present their PGP-compatible keys to others in person. An individual's key is than digitally signed by the other attendees—only if they are confident that the key actually belongs to the person who claims ownership. This verification is usually done by comparing the individual's public key fingerprint, and photo ID (such as a drivers license or passport).
Contents
What to Bring
- Photo ID such as a drivers license and/or passport.
- Printed copy of your key ID, and key fingerprint.
- Pencil or Pen
- Clipboard (optional).
Please do not bring a computer to the party unless you need to. Why?
Before the Party
Install the GNU Privacy Guard
GPG is a free replacement for PGP, and is included with nearly all Linux distributions. To verify that you have GnuPG installed, open a terminal window and type:
which gpg
If you get which: no gpg in ... than you need to install it.
Generate Key
If you don't already have a GPG key, one must be generated.
gpg --gen-key
For the first three questions just press Enter.
You will be asked for:
- your real name
- email address
- a comment optional
After confirming everything, GnuPG will ask for a password. Now, GnuPG will generate a new key for you. Move your mouse around as GnuPG needs random data to work with. It's usually a good idea to produce a revocation certificate after making your new key.
Print key Fingerprint
- Display key fingerprint
gpg --fingerprint example@localhost
Replace example@localhost with the email address you gave GnuPG earlier. If it looks okay (not several pages long), print the output and bring it with you on July 11, 2007.
- Print key fingerprint onto paper
gpg --fingerprint example@localhost | lpr -o landscape
- Example Output
pub 1024D/7A63CF54 2007-06-28
Key fingerprint = 3553 89D7 8959 5663 41C9 4273 EB4D 7D03 7A63 CF54
uid Test User <example@localhost>
sub 2048g/0CCBEF4B 2007-06-28
Email public key to coordinator
I will be announcing the key signing party on the mailing list. All public keys need to be sent in by July 9, 2007, 23:59 Chicago time.
Email me your public key (public.key) as an attachment. Type the following into a terminal window, replacing example@localhost with your email address.
gpg --armor --output public.key --export example@localhost
During the Party
Each person will receive a paper sheet listing the key fingerprint, name, and email address of the participants.
When your turn comes:
- State your name, and key ID (an eight digit hexdecimal number).
- Read your key fingerprint that you printed at home.
Everyone else will indicate on their sheet that the fingerprints match. You will then walk past everyone else showing photo identification (such as a drivers license or pass port). If the other members are individually convinced that you are the correct person, they will indicate on their paper sheet that you have passed their ID check.
Return to the line and continue participating by verifying others on your sheet.
After the Party
- Precise instructions with everyones key ID will be sent on the mailing list.
Download Keys
Download peoples keys from the key server subkeys.pgp.net.
gpg --recv-key 7A63CF54 ...
Sign Keys
Verify that the key fingerprint matches the one on your sheet. Only sign if the key fingerprints match and you are convinced the key belongs to who you think it does.
- Sign the key
gpg --sign-key 7A63CF54
Repeat the last command with each user's key ID.
- Example output
$ gpg --sign-key FC11E734
pub 1024D/FC11E734 created: 2007-06-18 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/DE2D1695 created: 2007-06-18 expires: never usage: E
[ unknown] (1). Michael J. Troutman <[email protected]>
pub 1024D/FC11E734 created: 2007-06-18 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 21FE 6AD5 4376 2945 4C07 40AC 64A7 614B FC11 E734
Michael J. Troutman <[email protected]>
Are you sure that you want to sign this key with your
key "Test User <example@localhost>" (7A63CF54)
Really sign? (y/N) y
Send to key server
Send the newly signed keys to the public key server:
gpg --send-keys 7A63CF54 ...
Sync
After about a week, refresh your GnuPG key-chain to see everyone else's signatures.
gpg --refresh-keys
See also
- PGP talk links and resources from July 11, 2007
External links
- GPG Keysigning Party HOWTO
- Efficient Group Key Signing Method— Len Sassaman and Phil Zimmermann
