Tacoma Linux Users Group

TACLUG

Home
General Meetings
Tech Sessions
Membership
Mailing List
IRC Server
Documents
Gallery
Resources
Key Signing
Members Area
Board Members
Logo Contest
About Taclug 		 
 
TACLUG Keysigning

What's a keysigning?

A key-signing is a get-together with PGP users for the purpose of meeting other PGP users and signing each other's keys. This helps to extend the "web of trust" to a great degree. Also, it sometimes serves as a forum to discuss strong cryptography and related issues.

When is this happening?

Keysignings take place immediately after every TACLUG meeting

The signing is estimated to last only 15 minutes or so, and takes place immediately after TACLUG's presentations have completed. (Usually around 4:00pm)

What do I need to bring?

Required Items

  1. Physical attendance
  2. Positive picture ID
  3. Your Key ID, Key type, HEX fingerprint, and Key size
  4. A pen/pencil or whatever you'd like to write with....
  5. NO computer (if you do bring your pc, don't sign any keys during the meeting)

Procedure to follow before attending

To prepare for keysigning, please follow these steps:

Note: if you have another application, such as the windows PGP application or seahorse, this procedure will vary - please consult the help and documentation for your application.

  1. install GnuPG

    RPM, Tarball, DEB, or Home Page.

  2. Create your key pair.

    gpg --gen-key

    You can safely accept all the defaults when it asks you about encryption algorithm, keysize. I suggest you set your key to expire though, typically one year. You can change the expiration later if needed. You will also have to enter your name, email and some comment about yourself. The comment is not mandatory and in most cases should be left blank.

    You'll then be asked for a symmetric-crypto "passphrase". I strongly encourage you to visit the Diceware Passphrase Home Page before selecting a passphrase. This phrase wil be used to encrypt the copy of your private key stored on your hard drive. You will be prompted for it any time you want to use your private key.

    gnupg will then work for a while, doing the number crunching involved in creating your keys. You'll be prompted to generate random activity with your mouse and/or keyboard, during the time it's working. Eventually, it will say it's finished, resulting in:

    ~/.gnupg/pubring.gpg
~/.gnupg/secring.gpg

    These files hold your public and private (secret) keyrings, respectively. Other keys (e.g., from other people you deal with) can be added to your public keyring. To list the contents of your public keyring:

    gpg --list-keys

    Also immediately do: 

    gpg --output revoke.asc --gen-revoke yourusername

    (You can use your e-mail address, instead of your username.) This will create ~/.gnupg/revoke.asc, which is a revocation certificate. You would publish this in the future if you ever need to get the word out that your keys should no longer be trusted. You might have to do this is if your keys are compromised or if you forget your passphrase. (This is why you generate your revocation certificate immediately. Presumably, you haven't forgotten your passphrase already!

  3. Print out your keyid and fingerprint.

    Bring this hard-copy print-out to the keysigning

    gpg --list-keys --fingerprint <username>

    The result should look something like this

    pub  1024D/B9060243 2002-07-20 Charles Mauch <cmauch@gmail.com>
Key fingerprint = 0DD1 6901 D431 16B0 0904 085E EF14 CF65 B906 0243
sub  4096g/BD9E30A1 2003-10-04 [expires: 2005-10-03]

    Be sure to print out enough slips with your own fingerprint information on them, to exchange with whomever you wish to keysign with.

  4. Mail a copy of your public key to the organizer of the keysigning.

    gpg --export --armor "your@email.address" \
> yourname.asc

    Then email that file to the organizaer, cmauch@taclug.org

Procedure to be followed at the party (and what the coordinator does)

  1. The organizer announces the session, everyone sends their public keys to that coordinator.

  2. Prior to the keysigning, the The organizer will print a list with everyone's key ID, key type, fingerprint, and key size from the compiled keyrings and distributes copies of the printout at the meeting. The organizer will also provide the TACLUG keyring to those to who ask for it in floppy diskette, as well as make the TACLUG keyring available on this website.

  3. The most current version of this form is viewable here on the taclug website. Feel free to take a peek so you can get an idea of what your in for!

  4. Each person brings along a paper copy of their key ID, key type, fingerprint, and key size that you obtained from your own keyring. You should also bring along a suitable photo ID.

  5. Each person stands up, and people vouch for this person (e.g., "Yes, this really is Chuck Wolber -- I went to school with him for 6 years, and lived with him for 2 - he's a slob, etc, etc.")

    If your "unknown" to the group, showing people some photo id should be acceptable as well, but introduce yourself!

    Once your convinced that this person is who they say they are, place a check mark next to their identity.

  6. After being vouched for, the person standing then reads aloud his/her key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID's to sign or not.

    If the key information matches your printout then place a check-mark by the key.

Procedure to follow after the party

  1. Determine whose keys you wish to sign.

    Use whatever notes you made at the keysigning. Be sure to mail the individuals to make sure that they have a valid and working email address.

  2. Make sure you have a copy of the key in your keyring.

    If the key resides on a key server, you can retreive it with this command:

    gpg -v --recv <keyid>

    where the keyid is the 8 character identifier for the key.

    If you simply with to download the latest keyring from the TACLUG website and incorporate it into your own public keyring:

    wget http://www.taclug.org/taclug.asc \
-O - | gpg --import

  3. Sign the key in your local keyring.

    gpg --sign-key <KeyID>

    where the KeyID is the email address, keyid, or fingerprint of person whose key you wish to sign.

    You will be prompted for your passphrase since you're using your private key to do the signing.

  4. Send the key back to the owner.

    You would likely do this through the same mechanism through which you originally received the key. If the owner mailed you a copy of the key, you would mail it back.

    After running this command,

    gpg --export --armor --output keyfile.asc \
<username>

    mail the keyfile.asc to the owner of the key.

    If you retreived it from a key server, you would put the key back onto the keyserver. Your new sig will be transported along with it.

    gpg --send-keys <username>

    If you retrieved the key from the TACLUG keyring, please email the signed key back to it's owner and to the coordinator, cmauch@taclug.org.

    Remember, the usernames listed above are the username of the owner of the key you are signing, not your own username.

    I maintain a bunch of scripts which may help automate this process at http://www.taclug.org/~cmauch/crypto/. Feel free to modify and play with them to your hearts content.

    You may also want to establish a Key Signing Policy for yourself. You can take a look at mine at http://www.taclug.org/~cmauch/crypto/gpgpolicy.txt and adapt this to your needs as well.

Why shouldn't I use a computer during the party?

There are a variety of reasons, why you don't want to do this. The short answer is it would be insecure, unsafe, and of no benefit. For those not convinced, here are some reasons why it is insecure, unsafe, and of no benefit.

  • Someone might have modified the computers programs, operating system, or hardware to steal or modify keys.
  • If people are swapping disks with their keys on them the computer owner has to worry about viruses.
  • If people are carrying their secret keys with them and intend to do the signing at the actual meeting by typing their passphrase into a computer, then they are open to key-logging attacks, shoulder-surfing, etc.
  • It is much better to just exchange key details and verify ID and then do the signing when you get home to your own trusted computer.
  • Someone might spill beer on it. ;)
  • Someone might drop it or knock it off the table.
  • More reasons, I don't feel like articulating

Note: Nobody is going to have a problem if you bring your computer to the TACLUG meeting - but if you do. do not sign keys while your there!!!

Other questions about signing keys?

You may want to read the Keysigning Party Howto which includes an explanation of the concepts behind keysigning, instructions for hosting a keysigning party, instructions for participating in a keysinging party, and step by step instructions for signing other's keys.

A good simple document called How to not look lost at a key-signing was written to help ease your confusion.

If you're looking for quick answers you may want to look to the questions and answers below, which all come from the PGP FAQ. It also has a lot of other good information, besides what is linked to below.

Other useful PGP links

A few more links for PGP newbies, or those who wish to re acquaint themselves.

Neat Graphical Stuff

Gathering more trust with every meeting, take a look at who has signed keys in the TACLUG's web of trust in a neat graph, or click on the image below for a large map.

Graph generated with sig2dot. The scripts used to run sig2dot and compile the various charts needed for a keysigning can be found here

Created with neato

Created with springgraph

Created with povray

View/Download the ascii armored output of the TACLUG keyring

What if I still have a question?

If you'd like some help answering it, you can contact the event coordinator, Charles Mauch via email at cmauch@taclug.org.

  
 

Bandwidth by Donobi.com
Questions? Email Tacoma Linux Users Group