[ale] Keysigning get-together?

Michael B. Trausch mike at trausch.us
Fri Oct 21 15:39:09 EDT 2011 

On Fri, Oct 21, 2011 at 03:21:24PM -0400, Scott Castaline wrote:
> I might be interested. When? I have to admit I need familiarize
> myself more with it, so if anyone has any pointers, they would be
> well taken.

Getting started is simple.  GnuPG is installed by default on most
GNU/Linux distributions, and most mail clients are able to handle it.
GNOME also has support for it built-in.

To get started, basically:

 * Create a key pair.  You can do this using the command "gpg
   --gen-key".

   * Choose "RSA and RSA", which is preferred.

   * Use at least 2,048 bits for the keysize.

   * GENERATE THE KEY WITH AN EXPIRATION DATE.  This will ensure that
     the key has (note: VERY) limited protection against loss, because
     people will not use a key if it has expired.  I used to generate
     mine annually.  My last set was for 6 years, my current set will
     work until 2015, and at that point I plan to generate a keypair
     for 10 years.  Do however it is best for you, but keep in mind
     that the more frequently you generate your keys, the more
     frequently you will have to get it signed by others.

     I'd say somewhere between 5 and 10 years is reasonable.

   * Use your real name ("First Last" or "First M. Last") on your key,
     as this will be what is verified in-person at keysigning.

   * Choose a strong PASS PHRASE for your key.  I typically make mine
     an entire sentence that has no fewer than 6 words.  Find a way to
     include numbers and punctuation, of course.  But do it such that
     YOU will remember it and nobody can GUESS it.  The point of using
     such a long pass PHRASE is that the encryption of the private key
     can not feasibly be brute forced (the pass phrase protects the
     private key).

   * After you have generated your key pair, GENERATE A REVOCATION
     CERTIFICATE FOR THE KEY.  This is important.  It is also
     important that you KEEP THE REVOCATION CERTIFICATE SECURE.  The
     revocation certificate can be used to revoke your key, to inform
     others that it should no longer be used.  What I typically do is
     print mine out and put it in a secure location.  If you have a
     safe, that would probably be fine.

     Anyone who gets their hands on the revocation certificate can
     type it in and use it to invalidate your key, so do not store it
     anywhere.  It is a very powerful little bugger, but it is utterly
     necessary if you ever lose your private keys to tell people that
     you can no longer use those keys.

If you need more assistance, of course, ask!  :)

	--- Mike

More information about the Ale mailing list