Difference between revisions of "Keysigning party"
|Line 68:||Line 68:|
Revision as of 11:48, 2 November 2013
Note: This page is for planning a keysigning party hosted by LUG@UCLA.
A keysigning party is an event for helping people verify each others' PGP keys and strengthening the web of trust.
- take control of your privacy
- meet other interesting members of the privacy-aware community
- learn about cryptography technologies widely used in industry
- eat pizza
LUG@UCLA's keysigning party uses a slightly modified version of the Sassaman-Efficient method.
- Where: Boelter Hall 4760
- When: TBA
- Generate your PGP keypair if you haven't already:
$ gpg --gen-key
WARNING: make sure you understand the implications of holding a private key, e.g. do not generate it on a computer you don't own and have full control over.
- Sync your public key with the keyservers:
$ gpg --send-keys <your key ID>
WARNING: this is irreversible. Make sure you are prepared to protect your private key and you are using a very strong passphrase.
- Figure out your key fingerprint and RSVP:
$ gpg --fingerprint <your name or key ID>
- Go to RSVP page: https://linux.ucla.edu/keysigning/
- 24 hours before the party, we will make available the final keylist and keylist checksum which you should download:
$ wget https://linux.ucla.edu/keysigning/keylists/keylist.txt $ wget https://linux.ucla.edu/keysigning/keyrings/keylist.txt.sha1
- Make sure your key fingerprint is on the list next to your name.
- Locally verify the checksum:
$ sha1sum --check keylist.txt.sha1
- Append the checksum to the bottom of keylist.txt:
$ cat keylist.txt.sha1 >>keylist.txt
- Print keylist.txt and keep safe.
III. The Party
- Bring the following:
- printed copy of keylist.txt
- One or more forms of ID (e.g. drivers license + Bruin card)
- make sure the keylist.txt checksum at the bottom of your printout matches the checksum projected onto the wall.
- We iterate through the list of keys, and each participant will make a statement that their fingerprint is correct. Put a check next to each person that has stated that their fingerprint is correct.
- We break formation. Go to each person on your list and verify their identity, adding a second check next to their name. This indicates that you really believe they own the key corresponding to the fingerprint listed next to their name.
- Keep your keylist printout safe.
- Don't forget to eat pizza!
IV. After the Party
- Retrieve your annotated keylist printout.
- For every person on the list with two check marks, import that person's key into your local keyring:
$ gpg --search-keys <their key ID>
Q: How do I install GnuPG (gpg)?
A: Most open source operating systems will include GnuPG by default. If GnuPG is not installed, and isn't provided by your operating system vendor, you should seriously consider switching to a better operating system. Come to LUG during Tutoring hours or attend our next Installfest.
Q: Can't I just generate my PGP keypair on SEASNet lnxsrv?
A: NO! You must protect your private key. Generate it on your personal computer running an open source operating system. VMs don't count.
- move mailing list off google so non-gmail users can subscribe
- implement ssl on the web server
- write a simple RSVP web application