[ale] Reminder: ALE PGP Keysigning Party
Michael H. Warfield
mhw at wittsend.com
Sun Jan 19 21:37:01 EST 2003
OK folks...
Yes, I'll be sending out a couple of reminders leading up to the
PGP Keysigning party on February 13th.
So far, I've only gotten a couple of keys in. Once I get a few
more in, I'll set up a web page for people to check the fingerprints and
ID's of those who have sent keys in. When that's up, you can check that
your key was received a little while after sending it. It will be a
password protected page to protect the fingerprint listing from spam
harvestors and I'll post that information as well.
In the mean time, I'm off to LinuxWorld for the next few days to
teach a couple of tutorials on Tuesday and a session on Forensics on
Wednesday.
As before, attached below are the PGP keysigning party instructions.
Send in those PGP keys!
Regards,
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
==============================================================================
As promised at last Thursday's ALE meeting, here are the instructions
for submitting your PGP/GPG keys for the upcoming keysigning party,
scheduled for Thursday, February 13, 2003 at Emory.
I will repost this a couple of times between now at the meeting
but I strongly recommend that you submit your keys early so we have a
good idea of how many may be attending.
TIA!
==============================================================================
The following is based on [IOW, blantently plagiarized from and
paraphrased] the keysigning party instructions from Ted Tso <tytso at mit.edu>
and his pgp keysigning parties at the quarterly IETF meetings which is, in
turn, based on the keysigning party outline by Derek Atkins <warlord at mit.edu>,
which I posted in an earlier message.
==============================================================================
We will be holding a PGP Key signing party at the monthly ALE meeting on
the evening of Thursday February 13 beginning at 7:30 at Emory University.
The procedure we will use is the following:
o People who wish to participate should email an ASCII extract of their
PGP public key to <mhw at wittsend.com> by noon on Thursday, February 13,
2003. Please include a subject line of "ALE PGP KEY", and please
avoid MIME-encrypting your e-mail. (I will be processing the keys
based on the subject by procmail through GPG 1.2.1, anything which GPG
can not interpret will be ignored unless I take manual action to fix
things, which I will try to do but make no guarantees about doing.)
I have procmail set to catch "ALE PGP KEY" or "ALE GPG KEY" in a
case insensitive manner with relatively soft matches on variable
spaces and references (Re: AW:, etc). If it's reasonably close
to the subject string, it should catch it. If it doesn't I should
catch it and manually feed it in but, again, I'm making no guarantees.
The method of generating the ASCII extract under Unix is:
pgp -kxa my_email_address mykey.asc (pgp 2.6.2)
pgpk -xa my_email_address > mykey.asc (pgp 5.x)
gpg --export -a my_email_address > mykey.asc (gpg)
If you're using Windows or Macintosh, hopefully it will be Intuitively
Obvious (tm) using the GUI interface how to generate an ASCII armored
key that begins "-----BEGIN PGP PUBLIC KEY BLOCK-----".
o By 6pm on Thursday, you will be able to fetch a complete key ring
from the following URL with all of the keys that were submitted:
http://www.wittsend.com/mhw/2003/ale.pgp
You do NOT need to retrieve the keyring prior to attending the
meeting. You do not have to sign any keys at the meeting itself and
any verification sheets or information will be handed out in printed
form.
o At 7:30pm, come prepared with the PGP Key fingerprint of your PGP
public key; we will have handouts with all of the key fingerprints of
the keys that people have mailed in. There should be enough copies of
the handouts to cover everyone who has submitted keys plus some
additional copies.
o In turn, readers at the front of the room will recite people's keys;
as your key fingerprint is read, stand up and present some form of
picture identification for projection and verification, and at the
end of reading of your PGP key fingerprint, acknowledge that the
fingerprint as read was correct.
o As each key is announced and acknowledged, those in the audience, should
note on their handouts that the fingerprint was read and verified by the
owner, and the owner presented confirmation of his identity.
o Later that evening, or perhaps when you get home, you can sign the
keys corresponding to the fingerprints which you were able to verify
on the handout; note that it is advisable that you only sign keys of
people when you have personal knowledge that the person who stood up
during the reading of his/her fingerprint really is the person which
he/she claimed to be.
o Submit the keys you have signed to the PGP keyservers. A good one to
use is the one at MIT, pgp.mit.edu:
To submit a key to pgp.mit.edu by E-Mail, simply send mail containing
the ascii armored version of your PGP public key to <pgp at pgp.mit.edu>.
You can also submit keys directly to the keyservers from GPG to the
keyservers as follows:
gpg --send-keys {keyid} {keyid} {keyid} ...
You can specify the keyserver (for example, wwwkeys.us.pgp.net) on the
command line as follows:
gpg --keyserver hkp://wwwkeys.us.pgp.net {keyid} {keyid} {keyid} ...
You may also, optionally, E-Mail the signed key back to the owner,
but the keyservers are the preferred method.
Note: You don't have to have a laptop with you; if you don't have
any locally trusted computing resources during the key signing party,
you can make notes on the handout, and then take the handout home and
sign the keys later.
Caveats: A PGP keysigning party is NOT the time to generate a new key.
If you don't already have a PGP/GPG key, generate one now and submit
the public key for inclusion. If you need assistance in generating a
key, the time to ask is NOW, not then. If you have not submitted a
key but show up with keysigning cards, you may have time to pass them
out and we might get to you after all the submitted keys are done, or you
may not and we might now. If you have not submitted a key and don't even
have printed keysigning cards, you will probably be out of luck, this
time around, so please be prepared and submit your keys. If you don't
submit your key, it will NOT be on the downloadable keyring signers will
have to independently retrieve it and you will be on your own.
Regards,
Mike
PGP signature
More information about the Ale
mailing list