|
|
| Line 4: |
Line 4: |
| | === What, where & when? === | | === What, where & when? === |
| | | | |
| - | At LinuxTag in Berlin there will be an OpenPGP (pgp/gpg) keysigning party.<br /> | + | At LinuxTag in Berlin there has been always an OpenPGP (pgp/gpg) keysigning party.<br /> |
| - | The party will be on '''Friday, May 30th, at 14:00 (sharp), Workshop-Room 1'''.<br />
| + | It has not been decided yet, if there will be a party this year. |
| - | The event organizer is [mailto:strengATftbfs.de Karlheinz Geyer].
| + | |
| | | | |
| - | | + | For further information, please see the last year's [[Keysigning_2008|Keysigning Party]] page. |
| - | __TOC__
| + | |
| - | | + | |
| - | === Why keysigning? ===
| + | |
| - | Please read Chapter 2: "Why should I hold a Keysigning Party?" of the [http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html GnuPG Keysigning Party HOWTO].
| + | |
| - | | + | |
| - | === How ===
| + | |
| - | The party will be conducted using Len Sassaman's Efficient Group Key Signing Method:
| + | |
| - | * If you intend to participate please send your key to our keyserver:
| + | |
| - | user@computer > gpg --keyserver hkp://lt2k8-ksp.ftbfs.de --send-key KEYID
| + | |
| - | : until <s>Sunday, May 25th 2008 21.30 GMT</s> <span style="background-color:yellow;">'''Thank you for your key submissions. No more uploads possible!'''</span>.<br /> If your entry is not listed at http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.txt 30 minutes after submission, please send me an [mailto:strengATftbfs.de email].
| + | |
| - | | + | |
| - | * By Tuesday, '''<big>May 27th 2008</big>''', you can fetch the complete keyring with all the keys submitted and a text file ''ksp-lt2k8.txt'' containing the fingerprint of each key on the ring. For downloading the files later, please visit our keyserver at http://lt2k8-ksp.ftbfs.de.
| + | |
| - | * At home, verify that the fingerprint of your key in ksp-lt2k8.txt is correct. Also compute the MD5 and SHA1 hashes of ksp-lt2k8.txt. One way to do this is:
| + | |
| - | user@computer > md5sum ksp-lt2k8.txt
| + | |
| - | user@computer > sha1sum ksp-lt2k8.txt
| + | |
| - | : or
| + | |
| - | user@computer > gpg --print-md md5 ksp-lt2k8.txt
| + | |
| - | user@computer > gpg --print-md sha1 ksp-lt2k8.txt
| + | |
| - | * Use a pen and write the calculated hashes into the corresponding fields in ksp-lt2k8.txt. You'll find the fields in the top section of the list.
| + | |
| - | * Bring a completed hardcopy of ksp-lt2k8.txt with you to LinuxTag.
| + | |
| - | * We will recite both the MD5 and SHA1 hashes from ksp-lt2k8.txt. Verify that the recited hash matches what you computed. This guarantees that all participants possess the same list of keys.
| + | |
| - | * In turn, each participant will stand and acknowledge that the fingerprint of his/her key listed is correct. Mark the key as verified on your hardcopy. Since we already ensured everyone has the same copy a simple statement like "Yes, this is correct" should be sufficient.
| + | |
| - | * The next step is to verify each participant's identity by checking his/her passport or similar identification.
| + | |
| - | * When you get home, sign the keys which you were able to check during the party. After you sign a key, send it to its owner together with your signature. You can use caff to automate this if you wish.
| + | |
| - | | + | |
| - | <span style="background-color:yellow;">
| + | |
| - | <big>Fair play, please!</big> A keysigning party is good for meeting others, sharing interests, and having fun; but the major goal behind the event is to strengthen the '''"WEB-OF-TRUST" (WoT)'''.<br /> That's why we ask that you finish your signing-work no later than '''<big>Monday, September 1st 2008.</big>'''</span>
| + | |
| - | | + | |
| - | === Downloads ===
| + | |
| - | Prior to the keysigning party, you should have already downloaded the following files from http://lt2k8-ksp.ftbfs.de/:
| + | |
| - |
| + | |
| - | ; List of participants
| + | |
| - | : http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.txt
| + | |
| - | ; Keyring
| + | |
| - | : http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.asc
| + | |
| - | ; Keyring (compressed using bzip2)
| + | |
| - | : http://lt2k8-ksp.ftbfs.de/ksp-lt2k8.asc.bz2
| + | |
| - | ; Graphfile (optional)
| + | |
| - | : http://lt2k8-ksp.ftbfs.de/ksp-lt2k8_20080526_1431.svg
| + | |
| - | | + | |
| - | === Summary ===
| + | |
| - | This is what you have to bring with you:
| + | |
| - | * A '''printout of ksp-lt2k8.txt''' incl. filled-in MD5 and SHA1 hashes, check that your fingerprint is correct!
| + | |
| - | * Some sort of valid(!) government-issued '''ID-Card''' (passport or similar).
| + | |
| - | * Think about creating a nametag or printing a piece of paper (DIN-A4, landscape) with your listnumber (from ksp-lt2k8.txt) on it. This will save time lining up by allowing you to find your place in line easier.
| + | |
| - | | + | |
| - | If you have questions, please do not hesitate to drop me a line: [mailto:strengATftbfs.de Karlheinz Geyer "streng"]
| + | |
| - | | + | |
| - | === Additional Information ===
| + | |
| - | ==== Keyservers ====
| + | |
| - | The only keyservers you should use are either subkeys.pgp.net or random.sks.keyserver.penguin.de, if you insist. Any of the keyservers in these clusters are fine.
| + | |
| - | | + | |
| - | Please do not use other keyservers, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in various ways including, but not limited to: dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA keys), rejecting keys with attribute UIDs (such as photo ids), or they don't sync with the rest of the network.
| + | |
| - | | + | |
| - | Therefore please use '''subkeys.pgp.net'''. It's a good idea to upload your key(s) to this keyserver prior to the keysigningparty, use this to do so:
| + | |
| - | user@computer > gpg --keyserver subkeys.pgp.net --send-key KEYID
| + | |
| - | | + | |
| - | ==== caff ====
| + | |
| - | CA Fire and Forget is a script that helps you with keysigning. It takes a list of keyids on the command line, fetches them from a keyserver and calls GnuPG so that you can sign it. It then mails each key to all its
| + | |
| - | email addresses - only including the one UID that we send to in each mail, pruned from all but self sigs and sigs done by you.
| + | |
| - | | + | |
| - | '''Download:''' caff (Rev. 365 2008-03-05). Homepage: http://pgp-tools.alioth.debian.org/
| + | |
| - | | + | |
| - | If you have Debian you can also install the signing-party package. FreeBSD users can install the signing-party port. For NetBSD users, caff has its own port. <br>Caff dependencies: gnupg (>= 1.3.92), perl, libgnupg-interface-perl, libmime-perl, libmailtools-perl (>= 1.62)
| + | |
| - | | + | |
| - | ==== gpgsigs ====
| + | |
| - | | + | |
| - | Uli Martens wrote a small perl script that, given a key ID and ksp-lt2k8.txt, tells you which keys (UIDs) you already signed by annotating the UID with (S).
| + | |
| - | 153 [ ] Fingerprint OK [ ] ID OK
| + | |
| - | (S) pub 1024D/52698E9F 2001-11-07 Uli Martens <uli@youam.net>
| + | |
| - | Key fingerprint = A48F 8894 37A0 FDE9 60D5 212A 2A58 CEAA 5269 8E9F
| + | |
| - | (S) uid Uli Martens <isax@gmx.de>
| + | |
| - | ( ) uid Uli Martens <u.martens@youam.com>
| + | |
| - | (S) uid Uli Martens <u.martens@scientific.de>
| + | |
| - |
| + | |
| - | '''Download:''' gpgsigs (Rev. 373 2008-03-16). Homepage: http://svn.debian.org/wsvn/pgp-tools/trunk/gpgsigs/
| + | |
| - | | + | |
| - | It requires perl, gnupg (>=1.2.x) and either Locale::Recode (in Debian Package libintl-perl, in testing and unstable) or recode (Debian Package recode).
| + | |
At LinuxTag in Berlin there has been always an OpenPGP (pgp/gpg) keysigning party.
It has not been decided yet, if there will be a party this year.
