Keysigning 2008

From LinuxTag Public Wiki

(Difference between revisions)
Jump to: navigation, search
m (Reverted edits by Susi (Talk) to last revision by Geyer)
 
(21 intermediate revisions not shown)
Line 6: Line 6:
At LinuxTag in Berlin there will be an OpenPGP (pgp/gpg) keysigning party.<br />
At LinuxTag in Berlin there will be an OpenPGP (pgp/gpg) keysigning party.<br />
The party will be on '''Friday, May 30th, at 14:00 (sharp), Workshop-Room&nbsp;1'''.<br />
The party will be on '''Friday, May 30th, at 14:00 (sharp), Workshop-Room&nbsp;1'''.<br />
-
This event is organized by [mailto:strengATftbfs.de Karlheinz Geyer].  
+
The event organizer is [mailto:strengATftbfs.de Karlheinz Geyer].  
__TOC__
__TOC__
-
=== What is/why keysigning? ===
+
=== Why keysigning? ===
-
Please read section One of the [http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html GnuPG Keysigning Party HOWTO].
+
Please read Chapter 2: "Why should I hold a Keysigning Party?" of the [http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html GnuPG Keysigning Party HOWTO].
=== How ===
=== How ===
-
The party will be conducted mainly using Len Sassaman's Efficient Group Key Signing Method:
+
The party will be conducted using Len Sassaman's Efficient Group Key Signing Method:
* If you intend to participate please send your key to our keyserver:
* If you intend to participate please send your key to our keyserver:
-
user@computer > gpg --keyserver hkp://lt2k8-ksp.ftbfs.de --send-key KEYID
+
  user@computer > gpg --keyserver hkp://lt2k8-ksp.ftbfs.de --send-key KEYID
-
:  until '''<big>Saturday, May 24th, 2008</big>'''.<br /> If your entry is not listed at http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.txt after submission, please send me an [mailto:strengATftbfs.de email].
+
:  until <s>Sunday, May 25th 2008 21.30 GMT</s> <span style="background-color:yellow;">'''Thank you for your key submissions. No more uploads possible!'''</span>.<br /> If your entry is not listed at http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.txt 30 minutes after submission, please send me an [mailto:strengATftbfs.de email].
-
* By Tuesday, '''<big>May 27th 2008</big>''', you will be able to fetch both the complete keyring with all the keys that were submitted along with a text file ksp-lt2k8.txt giving the fingerprint of each key on the ring. For downloading the files later please visit our keyserver at http://lt2k8-ksp.ftbfs.de.
+
 
-
* At home, verify that the fingerprint of your key in ksp-lt2k8.txt is correct. Also compute the MD5 and SHA1 hashes of ksp-lt2k8.txt. One way to do this is as follows:
+
* By Tuesday, '''<big>May 27th 2008</big>''', you can fetch the complete keyring with all the keys submitted and a text file ''ksp-lt2k8.txt'' containing the fingerprint of each key on the ring. For downloading the files later, please visit our keyserver at http://lt2k8-ksp.ftbfs.de.
 +
* At home, verify that the fingerprint of your key in ksp-lt2k8.txt is correct. Also compute the MD5 and SHA1 hashes of ksp-lt2k8.txt. One way to do this is:
  user@computer > md5sum ksp-lt2k8.txt
  user@computer > md5sum ksp-lt2k8.txt
  user@computer > sha1sum ksp-lt2k8.txt
  user@computer > sha1sum ksp-lt2k8.txt
Line 26: Line 27:
  user@computer > gpg --print-md md5 ksp-lt2k8.txt
  user@computer > gpg --print-md md5 ksp-lt2k8.txt
  user@computer > gpg --print-md sha1 ksp-lt2k8.txt
  user@computer > gpg --print-md sha1 ksp-lt2k8.txt
-
* Use a pen and write these calculated hashes down into the given fields at ksp-lt2k8.txt. You'll find these fields within the top section of the list.
+
* Use a pen and write the calculated hashes into the corresponding fields in ksp-lt2k8.txt. You'll find the fields in the top section of the list.
-
* At LinuxTag, come with the hash you computed and a hardcopy of ksp-lt2k8.txt.
+
* Bring a completed hardcopy of ksp-lt2k8.txt with you to LinuxTag.
-
* We will recite than both MD5 and SHA1 hashes of ksp-lt2k8.txt. Verify that the hash recited matches what you computed. This guarantees that all participants own the same list of keys.
+
* We will recite both the MD5 and SHA1 hashes from ksp-lt2k8.txt. Verify that the recited hash matches what you computed. This guarantees that all participants possess the same list of keys.
-
* In turn, each participant will stand and acknowledge that the fingerprint of his or her key listed is correct. Mark the key verified on your hardcopy. Since we already ensured that everybody has the same copy a simple statement like "Yes, this information is correct" might be sufficient.
+
* In turn, each participant will stand and acknowledge that the fingerprint of his/her key listed is correct. Mark the key as verified on your hardcopy. Since we already ensured everyone has the same copy a simple statement like "Yes, this is correct" should be sufficient.
-
* The next step is to verify each participant's identity by checking his/her passport or similar sort of ID-Card.
+
* The next step is to verify each participant's identity by checking his/her passport or similar identification.
-
* Later when you are back at home, you can sign the keys which you were able to check during the party. After you signed a key send it to its owner together with your signature. Using caff might be of help for you.
+
* When you get home, sign the keys which you were able to check during the party. After you sign a key, send it to its owner together with your signature. You can use caff to automate this if you wish.
<span style="background-color:yellow;">
<span style="background-color:yellow;">
-
<big>Fairplay please!</big> A keysigningparty is good for meeting others, share interests and have fun. But the major goal behind such an event is to strengthen the so called '''WEB-OF-TRUST (WoT)''',<br /> thats why we are kindly asking you to finish your signing-work at home not later than '''<big>Monday, September 1st 2008</big>'''</span>
+
<big>Fair play, please!</big> A keysigning party is good for meeting others, sharing interests, and having fun; but the major goal behind the event is to strengthen the '''"WEB-OF-TRUST" (WoT)'''.<br /> That's why we ask that you finish your signing-work no later than '''<big>Monday, September 1st 2008.</big>'''</span>
=== Downloads ===
=== Downloads ===
-
'''Note: These files ARE NOT AVAILABLE YET,''' please be patient until the submission deadline has been reached! Files should be ready for downloading from http://lt2k8-ksp.ftbfs.de/ by '''Tuesday, May 27th'''.
+
Prior to the keysigning party, you should have already downloaded the following files from http://lt2k8-ksp.ftbfs.de/:
-
 
+
-
Prior to the keysigningparty you should have already downloaded the following files:
+
; List of participants
-
* ksp-lt2k8.txt - List of participants
+
: http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.txt
-
* ksp-lt2k8.asc - participating keys (Keyring) or
+
; Keyring
-
* ksp-lt2k8.asc.bz2 - participating keys (Keyring), compressed using bzip2
+
: http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.asc
 +
; Keyring (compressed using bzip2)
 +
: http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.asc.bz2
 +
; Graphfile (optional)
 +
: http://lt2k8-ksp.ftbfs.de/ksp-lt2k8_20080526_1431.svg
=== Summary ===
=== Summary ===
This is what you have to bring with you:
This is what you have to bring with you:
* A '''printout of ksp-lt2k8.txt''' incl. filled-in MD5 and SHA1 hashes, check that your fingerprint is correct!
* A '''printout of ksp-lt2k8.txt''' incl. filled-in MD5 and SHA1 hashes, check that your fingerprint is correct!
-
* Some sort of a valid(!) governmental issued '''ID-Card''' (passport or similar).
+
* Some sort of valid(!) government-issued '''ID-Card''' (passport or similar).
-
* Think about creating a paper (DIN-A4, landscape) with your own listnumber on it. These papers later visibly held in front of each participant could help saving time during the line-up procedure. People might find there places within the line easier.
+
* Think about creating a nametag or printing a piece of paper (DIN-A4, landscape) with your listnumber (from ksp-lt2k8.txt) on it. This will save time lining up by allowing you to find your place in line easier.
-
If you have questions please do not hesitate to ask Karlheinz.
+
If you have questions, please do not hesitate to drop me a line: [mailto:strengATftbfs.de Karlheinz Geyer "streng"]
=== Additional Information ===
=== Additional Information ===
==== Keyservers ====
==== Keyservers ====
-
The only keyserver rotation you should use is subkeys.pgp.net or random.sks.keyserver.penguin.de if you insist. Any of the servers in this rotations is fine.  
+
The only keyservers you should use are either subkeys.pgp.net or random.sks.keyserver.penguin.de, if you insist. Any of the keyservers in these clusters are fine.  
-
Please do not use other rotations, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in various ways, including but not limited to dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA keys), rejecting keys with attribute UIDs (such as photo ids), or don't sync with the rest of the network.
+
Please do not use other keyservers, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in various ways including, but not limited to: dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA keys), rejecting keys with attribute UIDs (such as photo ids), or they don't sync with the rest of the network.
Therefore please use '''subkeys.pgp.net'''. It's a good idea to upload your key(s) to this keyserver prior to the keysigningparty, use this to do so:
Therefore please use '''subkeys.pgp.net'''. It's a good idea to upload your key(s) to this keyserver prior to the keysigningparty, use this to do so:
Line 62: Line 67:
==== caff ====
==== caff ====
-
CA Fire and Forget is a script that helps you in keysigning. It takes a list of keyids on the command line, fetches them from a keyserver and calls GnuPG so that you can sign it. It then mails each key to all its
+
CA Fire and Forget is a script that helps you with keysigning. It takes a list of keyids on the command line, fetches them from a keyserver and calls GnuPG so that you can sign it. It then mails each key to all its
email addresses - only including the one UID that we send to in each mail, pruned from all but self sigs and sigs done by you.
email addresses - only including the one UID that we send to in each mail, pruned from all but self sigs and sigs done by you.
-
'''Download it:''' caff (Rev. 365 2008-03-05). Homepage: http://pgp-tools.alioth.debian.org/
+
'''Download:''' caff (Rev. 365 2008-03-05). Homepage: http://pgp-tools.alioth.debian.org/
-
If you have Debian you could also install the signing-party package FreeBSD users can install the signing-party port For NetBSD users caff has its own port Depends: gnupg (>= 1.3.92), perl, libgnupg-interface-perl, libmime-perl, libmailtools-perl (>= 1.62)
+
If you have Debian you can also install the signing-party package. FreeBSD users can install the signing-party port. For NetBSD users, caff has its own port. <br>Caff dependencies: gnupg (>= 1.3.92), perl, libgnupg-interface-perl, libmime-perl, libmailtools-perl (>= 1.62)
==== gpgsigs ====
==== gpgsigs ====
-
Uli Martens wrote a small perl script that, given a key ID and ksp-lt2k8.txt tells you which keys (UIDs) you already signed by annotating the UID with (S).
+
Uli Martens wrote a small perl script that, given a key ID and ksp-lt2k8.txt, tells you which keys (UIDs) you already signed by annotating the UID with (S).
  153  [ ] Fingerprint OK        [ ] ID OK
  153  [ ] Fingerprint OK        [ ] ID OK
  (S)  pub  1024D/52698E9F 2001-11-07 Uli Martens <uli@youam.net>
  (S)  pub  1024D/52698E9F 2001-11-07 Uli Martens <uli@youam.net>
Line 79: Line 84:
  (S)  uid    Uli Martens &lt;u.martens@scientific.de&gt;
  (S)  uid    Uli Martens &lt;u.martens@scientific.de&gt;
   
   
-
'''Download it:''' gpgsigs (Rev. 373 2008-03-16). Homepage: http://svn.debian.org/wsvn/pgp-tools/trunk/gpgsigs/
+
'''Download:''' gpgsigs (Rev. 373 2008-03-16). Homepage: http://svn.debian.org/wsvn/pgp-tools/trunk/gpgsigs/
It requires perl, gnupg (>=1.2.x) and either Locale::Recode (in Debian Package libintl-perl, in testing and unstable) or recode (Debian Package recode).
It requires perl, gnupg (>=1.2.x) and either Locale::Recode (in Debian Package libintl-perl, in testing and unstable) or recode (Debian Package recode).

Latest revision as of 18:01, 18 January 2010

Kultiges Zusammensitzen und gemeinsames Murmeln magischer Zahlen.
-- Gert Döring, FdI 95

What, where & when?

At LinuxTag in Berlin there will be an OpenPGP (pgp/gpg) keysigning party.
The party will be on Friday, May 30th, at 14:00 (sharp), Workshop-Room 1.
The event organizer is Karlheinz Geyer.


Contents


Why keysigning?

Please read Chapter 2: "Why should I hold a Keysigning Party?" of the GnuPG Keysigning Party HOWTO.

How

The party will be conducted using Len Sassaman's Efficient Group Key Signing Method:

  • If you intend to participate please send your key to our keyserver:
 user@computer > gpg --keyserver hkp://lt2k8-ksp.ftbfs.de --send-key KEYID
until Sunday, May 25th 2008 21.30 GMT Thank you for your key submissions. No more uploads possible!.
If your entry is not listed at http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.txt 30 minutes after submission, please send me an email.
  • By Tuesday, May 27th 2008, you can fetch the complete keyring with all the keys submitted and a text file ksp-lt2k8.txt containing the fingerprint of each key on the ring. For downloading the files later, please visit our keyserver at http://lt2k8-ksp.ftbfs.de.
  • At home, verify that the fingerprint of your key in ksp-lt2k8.txt is correct. Also compute the MD5 and SHA1 hashes of ksp-lt2k8.txt. One way to do this is:
user@computer > md5sum ksp-lt2k8.txt
user@computer > sha1sum ksp-lt2k8.txt
or
user@computer > gpg --print-md md5 ksp-lt2k8.txt
user@computer > gpg --print-md sha1 ksp-lt2k8.txt
  • Use a pen and write the calculated hashes into the corresponding fields in ksp-lt2k8.txt. You'll find the fields in the top section of the list.
  • Bring a completed hardcopy of ksp-lt2k8.txt with you to LinuxTag.
  • We will recite both the MD5 and SHA1 hashes from ksp-lt2k8.txt. Verify that the recited hash matches what you computed. This guarantees that all participants possess the same list of keys.
  • In turn, each participant will stand and acknowledge that the fingerprint of his/her key listed is correct. Mark the key as verified on your hardcopy. Since we already ensured everyone has the same copy a simple statement like "Yes, this is correct" should be sufficient.
  • The next step is to verify each participant's identity by checking his/her passport or similar identification.
  • When you get home, sign the keys which you were able to check during the party. After you sign a key, send it to its owner together with your signature. You can use caff to automate this if you wish.

Fair play, please! A keysigning party is good for meeting others, sharing interests, and having fun; but the major goal behind the event is to strengthen the "WEB-OF-TRUST" (WoT).
That's why we ask that you finish your signing-work no later than Monday, September 1st 2008.

Downloads

Prior to the keysigning party, you should have already downloaded the following files from http://lt2k8-ksp.ftbfs.de/:

List of participants
http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.txt
Keyring
http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.asc
Keyring (compressed using bzip2)
http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.asc.bz2
Graphfile (optional)
http://lt2k8-ksp.ftbfs.de/ksp-lt2k8_20080526_1431.svg

Summary

This is what you have to bring with you:

  • A printout of ksp-lt2k8.txt incl. filled-in MD5 and SHA1 hashes, check that your fingerprint is correct!
  • Some sort of valid(!) government-issued ID-Card (passport or similar).
  • Think about creating a nametag or printing a piece of paper (DIN-A4, landscape) with your listnumber (from ksp-lt2k8.txt) on it. This will save time lining up by allowing you to find your place in line easier.

If you have questions, please do not hesitate to drop me a line: Karlheinz Geyer "streng"

Additional Information

Keyservers

The only keyservers you should use are either subkeys.pgp.net or random.sks.keyserver.penguin.de, if you insist. Any of the keyservers in these clusters are fine.

Please do not use other keyservers, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in various ways including, but not limited to: dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA keys), rejecting keys with attribute UIDs (such as photo ids), or they don't sync with the rest of the network.

Therefore please use subkeys.pgp.net. It's a good idea to upload your key(s) to this keyserver prior to the keysigningparty, use this to do so:

user@computer > gpg --keyserver subkeys.pgp.net --send-key KEYID

caff

CA Fire and Forget is a script that helps you with keysigning. It takes a list of keyids on the command line, fetches them from a keyserver and calls GnuPG so that you can sign it. It then mails each key to all its email addresses - only including the one UID that we send to in each mail, pruned from all but self sigs and sigs done by you.

Download: caff (Rev. 365 2008-03-05). Homepage: http://pgp-tools.alioth.debian.org/

If you have Debian you can also install the signing-party package. FreeBSD users can install the signing-party port. For NetBSD users, caff has its own port.
Caff dependencies: gnupg (>= 1.3.92), perl, libgnupg-interface-perl, libmime-perl, libmailtools-perl (>= 1.62)

gpgsigs

Uli Martens wrote a small perl script that, given a key ID and ksp-lt2k8.txt, tells you which keys (UIDs) you already signed by annotating the UID with (S).

153  [ ] Fingerprint OK        [ ] ID OK
(S)  pub  1024D/52698E9F 2001-11-07 Uli Martens <uli@youam.net>
     Key fingerprint = A48F 8894 37A0 FDE9 60D5  212A 2A58 CEAA 5269 8E9F
(S)  uid     Uli Martens <isax@gmx.de>
( )  uid     Uli Martens <u.martens@youam.com>
(S)  uid     Uli Martens <u.martens@scientific.de>

Download: gpgsigs (Rev. 373 2008-03-16). Homepage: http://svn.debian.org/wsvn/pgp-tools/trunk/gpgsigs/

It requires perl, gnupg (>=1.2.x) and either Locale::Recode (in Debian Package libintl-perl, in testing and unstable) or recode (Debian Package recode).

Personal tools
Navigation
Crew