[ale] PGP/GPG Keysigning party! ALE Central November 19th. (Mac OSeX prep)

Richard Bronosky Richard at Bronosky.com
Mon Nov 2 12:47:29 EST 2009


The macgpg stuff is a mess. I suggest installing MacPorts and then:
sudo port install gnupg2

On Mon, Nov 2, 2009 at 12:26 PM, aaron <aaron at pd.org> wrote:
> This past weekend I dove into doing my homework for the Key
> signing party at the November 19th ALE meeting.  To follow
> Michael's recommendation of generating an RSA / RSA pair
> using Mac OSeX requires the latest GnuPG2 packages.
>
> I found them at:
>
> <http://sourceforge.net/projects/macgpg2/files/>
>
> It's a simple unzip / mpkg install, but requires OSeX 10.4.x
> or better.  Though not explicitly stated, it seems to be a
> Universal binary since it installs and runs on my PPC systems
> without issue.
>
> With Mac gpg2, RSA / RSA is the default 1st choice of --gen-key
> Other useful info and GUI based MacGPG tools can be found at:
> <http://macgpg.sourceforge.net/>
>
> Also, in trying to do a write up for the event, I found a
> very informative "How To [GPG] Party" page that covers a lot
> of aspects of the WHY as well as the HOW of the web of trust
> and such...
>
> <http://cryptnet.net/fdp/crypto/keysigning_party/en/
> keysigning_party.html>
>
> HTH!
> peace
> aaron
>
>
>
>
> On 2009, Oct, 27, , at 9:14 PM, Michael H. Warfield wrote:
>> Hello all!
>>
>> Aaron approached me a couple of days about about running a PGP/GPG key
>> signing party for the November ALE meeting.  Looking back, it looks
>> like
>> the last one was 6-1/2 years ago!  Wow, time flies...  Ok...  So be
>> it.
>>
>> I will do a VERY BRIEF intro to public key cryptography before the
>> meeting but a successful key signing party depends on preparation in
>> advance on the part of the participants!  Even well organized
>> keysigning
>> parties can degenerate into chaos very easily.  Do not come to the
>> meeting looking to learn how to create a new key.  You should have
>> your
>> keys ready in advance.  If not, still come, but understand that you'll
>> learn some thing about PGP but you probably won't walk away with
>> keys or
>> signatures.
>>
>> To make this go smoothly, I will collect keys in advance of the
>> meeting
>> and print out sheets with key fingerprints.  That saves an incredible
>> amount of time and effort during the actual meeting and gives me an
>> idea
>> of how may keys to expect and copies to make.  It also permits me to
>> have a collected keyring I can make available to everyone after the
>> meeting.  Please expect to provide at least one photo id which will be
>> projected on a screen for everyone to see (sensitive numbers will be
>> blacked out with tape).  Drivers license or passport are preferred.
>>
>> With recent developments in cryptography, some doubt is being cast on
>> the DSS/DSA keys.  Debian folks are strongly recommending a return to
>> RSA keys and have some "procedures" in place for this.
>>
>> http://www.debian-administration.org/users/dkg/weblog/48
>>
>> If you are thinking it's time to dump off the old DSS/DSA keys and
>> migrate back to an RSA 2048 bit key, now is the time as well.  My
>> older
>> RSA 1024 bit key is still active and I have a DSS/DSA key as well but
>> these are both being relegated to "legacy" and I now have a 2048/R key
>> (0x674627FF).  I'm not invalidating my old keys but I will only now be
>> using them for key signing (my 0xDF1DD471 key is in the web of trust
>> book and still in the PGP strong set).
>>
>> If you're not running the latest GnuPG, which should now be defaulting
>> to RSA/RSA keys, it can get a little bit tricky to create a new style
>> RSA key.  With older (default DSS/DSA) versions of GunPG, you should
>> create a new key but don't accept the default DSA and select "RSA
>> (sign
>> only)" key instead.  Once the key is created, edit that key and add an
>> RSA encryption key to it.
>>
>> Better yet, update your GnuPG and the default will create the new key
>> like you want (RSA and RSA - sign and encrypt).  If you don't have a
>> current key and you don't know what any of this is about, that's fine.
>> Just create a new RSA key for yourself (if it says RSA and RSA - TAKE
>> THAT OPTION).  If you don't see that option available, ask for help or
>> update your system first.
>>
>> What I need from YOU!  Well in advance of the meeting, please send
>> your
>> PGP public keys to alekeyparty at wittsend.com.  If you do not have a PGP
>> key and are just looking to get started, the time to start is right
>> now!
>> The time is NOT at a key signing party.  This list has some very
>> bright
>> folks on it who can help you out if you are having difficulties.  I
>> will
>> try to answer questions as best I can, but ask them now.
>>
>> Last time, we had a few people who did not submit their keys in
>> advance.
>> That's fine as long as it's not excessive or we will be there all
>> night.
>> At the very least, if you don't submit your keys in advance, your keys
>> must be on the public keyservers and you should come with printouts of
>> your key fingerprint.  I have business cards on which I have my key
>> fingerprints printed.  Some people use little strips of paper.  All of
>> that is fine but it should be on "dead trees edition" and enough
>> copies
>> so you can pass them out and people can make notes on them.
>>
>> Procedure at the meeting...  People who submitted their keys go first.
>> We will pass out the preprinted sheets and then call people up to
>> project their id's.  The audience can then take notes on the sheets
>> that
>> they have confirmed their identification (anyone not showing up
>> obviously is not confirmed AND SHOULD NOT BE SIGNED).  After that,
>> anyone with keysigning cards or other information to pass out can go
>> from there.  Anyone not prepared, we'll do what we can but you pays
>> your
>> nickel and you takes your chance.
>>
>> Procedure after the meeting...  I'll update MY keyring with any last
>> minute additions, clean out the "no shows", and then make an
>> announcement to the list.  You can then download that keyring and sign
>> those keys which you feel comfortable that you confirmed their
>> identity.
>> You can then submit them to a public key server or send them back
>> to the
>> same E-Mail address above and I'll submit them in bulk.
>>
>> Any questions, please feel free to ping me but please do it early.
>> We've only got about 3 weeks before this thing.
>>
>> Side note.  I'm looking into also including a CA-Cert web of trust
>> verification.  That's for X.509 certificates from CA-Cert
>> <http://www.cacert.org>.  If you are interested, go up to their
>> site and
>> see what the deal is there.  Being preregistered with them helps.  You
>> can get free X.509 S/Mime certificates and register OpenID with them,
>> them.  That all depends on me getting some additional CA-Cert
>> "assurers"
>> involved (there are several in the area).  We did this at USENIX
>> Lisa a
>> couple of years back and it works in real well with a keysigning
>> party.
>> I'll post more details once I know more, if I can pull that off.
>>
>> Regards,
>> Mike
>> --
>> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://
>> www.wittsend.com/mhw/
>>    NIC whois: MHW9          | An optimist believes we live in the
>> best of all
>>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
>> of it!
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
.!# RichardBronosky #!.



More information about the Ale mailing list