Difference between revisions of "Keysigning party"

From Wiki | LUG@UCLA
Jump to: navigation, search
(34 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
 
[[File:Gnupg_logo.svg|thumb]]
 
[[File:Gnupg_logo.svg|thumb]]
{{Note|This page is for planning a keysigning party hosted by LUG@UCLA.}}
+
'''Next keysigning party:''' ''none planned''
  
A '''keysigning party''' is an event for helping people verify each others' PGP keys and strengthening the ''web of trust''.
+
A '''keysigning party''' is an event designed to help people verify each others' PGP keys, and strengthen the ''web of trust''.
  
* take control of your privacy
+
* take control of your personal information
 
* meet other interesting members of the privacy-aware community
 
* meet other interesting members of the privacy-aware community
 
* learn about cryptography technologies widely used in industry
 
* learn about cryptography technologies widely used in industry
Line 11: Line 11:
  
 
LUG@UCLA's keysigning party uses a slightly modified version of the [http://www.keysigning.org/methods/sassaman-efficient Sassaman-Efficient] method.
 
LUG@UCLA's keysigning party uses a slightly modified version of the [http://www.keysigning.org/methods/sassaman-efficient Sassaman-Efficient] method.
 
== Event information ==
 
 
* Where: Boelter Hall 4760
 
* When: TBA
 
  
 
== Instructions ==
 
== Instructions ==
  
=== I. RSVP ===
+
=== I. [https://linux.ucla.edu/keysigning/ RSVP] ===
 
<ol>
 
<ol>
<li> Generate your PGP keypair if you haven't already: <code>$ gpg --gen-key</code><br> WARNING: make sure you understand the implications of holding a private key, e.g. do not generate it on a computer you don't own and have ''full control'' over.
+
<li> If you haven't already, generate your PGP keypair: <code>$ gpg --gen-key</code><br><span style="color:red">'''WARNING:'''</span> make sure you understand the implications of holding a private key:
<li> Sync your public key with the keyservers: <code>$ gpg --send-keys '''<your key ID>'''</code><br>WARNING: this is irreversible. Make sure you are prepared to protect your private key and you are using a very strong passphrase.
+
* DO NOT generate it on a computer you don't own and have ''full control'' over.
<li> Figure out your key fingerprint and RSVP:
+
* DO NOT store your private key on Dropbox, Sky Drive, or any other cloud storage service.
* <code>$ gpg --fingerprint '''<your name or key ID>'''</code>
+
* DO use a very strong passphrase (multiple words, aka "phrase")
* Go to RSVP page: https://linux.ucla.edu/keysigning/
+
<li> If you haven't already, sync your ''public'' key with the pgp keyservers: <code>$ gpg --send-keys '''<your key ID>'''</code><br><span style="color:red">'''WARNING:'''</span> this is irreversible. Make sure you are prepared to protect your private key and you are using a very strong passphrase.
 +
<li> Go to RSVP page: https://linux.ucla.edu/keysigning/
 +
* If you don't remember your fingerprint, use this command: <code>$ gpg --fingerprint '''<your name>'''</code>
 
</ol>
 
</ol>
  
Line 31: Line 28:
 
<ol>
 
<ol>
 
<li> 24 hours before the party, we will make available the final keylist and keylist checksum which you should download:
 
<li> 24 hours before the party, we will make available the final keylist and keylist checksum which you should download:
<pre>$ wget https://linux.ucla.edu/keysigning/keylists/keylist.txt
+
<pre>$ wget https://linux.ucla.edu/keysigning/lists/keylist.txt
$ wget https://linux.ucla.edu/keysigning/keyrings/keylist.txt.sha1</pre>
+
$ wget https://linux.ucla.edu/keysigning/lists/keylist.txt.sha1</pre>
 
<li> Make sure your key fingerprint is on the list next to your name.
 
<li> Make sure your key fingerprint is on the list next to your name.
 
<li> Locally verify the checksum: <code>$ sha1sum --check keylist.txt.sha1</code>
 
<li> Locally verify the checksum: <code>$ sha1sum --check keylist.txt.sha1</code>
 
<li> Append the checksum to the bottom of keylist.txt: <code>$ cat keylist.txt.sha1 >>keylist.txt</code>
 
<li> Append the checksum to the bottom of keylist.txt: <code>$ cat keylist.txt.sha1 >>keylist.txt</code>
 
<li> Print keylist.txt and keep safe.
 
<li> Print keylist.txt and keep safe.
 +
* For your convenience, here is a [https://linux.ucla.edu/keysigning/lists/keylist.pdf printable version]. ''Be sure to verify the contents before printing''.
 
</ol>
 
</ol>
  
Line 44: Line 42:
 
#* One or more forms of ID (e.g. drivers license + Bruin card)
 
#* One or more forms of ID (e.g. drivers license + Bruin card)
 
# make sure the keylist.txt checksum at the bottom of your printout matches the checksum projected onto the wall.
 
# make sure the keylist.txt checksum at the bottom of your printout matches the checksum projected onto the wall.
# We iterate through the list of keys, and each participant will make a statement that their fingerprint is correct. Put a check next to each person that has stated that their fingerprint is correct.
+
# Together, we will iterate over the keylist and each participant will make a statement that their fingerprint is correct. Put a check mark next to each person that has stated that their fingerprint is correct.
# We break formation. Go to each person on your list and verify their identity, adding a '''second''' check next to their name. This indicates that you really believe they own the key corresponding to the fingerprint listed next to their name.
+
# When we finish going through the list, break formation and individually go to each person on your keylist to verify their identity. Add a '''second''' check mark next to each person that you verify. This indicates that you really believe they own that key.
 
# Keep your keylist printout safe.
 
# Keep your keylist printout safe.
 
# Don't forget to eat pizza!
 
# Don't forget to eat pizza!
Line 53: Line 51:
 
<ol>
 
<ol>
 
<li> Retrieve your annotated keylist printout.</li>
 
<li> Retrieve your annotated keylist printout.</li>
<li> For every person on the list with two check marks:
+
<li> Import the key of every person on the list with two check marks: <code>$ gpg --recv-keys '''<key ID 1>''' '''<key ID 2>''' ... '''<key ID N>'''</code>
<ul>
+
<li> For every key with two check marks, sign the key: <code>$ gpg --sign-key '''<their key ID>'''</code>
  <li> import that person's key into your local keyring: <code>$ gpg --search-keys '''<their key ID>'''</code></li>
+
<li> Send all your new key signatures to the keyservers: <code>$ gpg --send-keys '''<key ID 1>''' '''<key ID 2>''' ... '''<key ID N>'''</code><br>
  <li> indicate your trust in the person's identity:
+
This strengthens the ''web of trust''!
    <pre<noinclude></noinclude>>
+
$ gpg --edit-key '''<their key ID>'''
+
Command> '''trust'''
+
[...]
+
1 = Don't know
+
2 = I do NOT trust
+
3 = I trust marginally
+
4 = I trust fully
+
 
+
Your decision? '''3'''
+
    </pre>
+
</ul>
+
<li> send all your new signatures to the keyservers: <code>$ gpg --send-keys '''<first key ID>''' '''<second key ID>''' ... '''<Nth key ID>'''</code>
+
 
</li>
 
</li>
 
</ol>
 
</ol>
== FAQ ==
+
 
 +
== Q/A ==
  
 
<span style="color:red">'''Q:'''</span> How do I install GnuPG (gpg)?<br>
 
<span style="color:red">'''Q:'''</span> How do I install GnuPG (gpg)?<br>
<span style="color:green">'''A:'''</span> Most open source operating systems will include GnuPG by default. If GnuPG is not installed, and isn't provided by your operating system vendor, you should seriously consider switching to a better operating system. Come to LUG during [[Tutoring]] hours or attend our next [[Installfest]].
+
<span style="color:green">'''A:'''</span> Most open source operating systems will include GnuPG by default. If GnuPG is not installed, and isn't provided by your operating system vendor, you should seriously consider switching to a better operating system. Come to LUG during [[Tutoring]] hours or attend our next [[Installfest]] and we will help you install GNU/Linux on your computer.
  
 
<span style="color:red">'''Q:'''</span> Can't I just generate my PGP keypair on SEASNet lnxsrv?<br>
 
<span style="color:red">'''Q:'''</span> Can't I just generate my PGP keypair on SEASNet lnxsrv?<br>
<span style="color:green">'''A:'''</span> NO! You must protect your private key. Generate it on your personal computer running an open source operating system. VMs don't count.
+
<span style="color:green">'''A:'''</span> NO! You must protect your private key. Generate it on your personal computer running an open source operating system. Virtual machines don't count.
  
 
== Resources ==
 
== Resources ==
Line 86: Line 72:
 
* http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
 
* http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
 
* http://www.gnupg.org/gph/en/manual.html
 
* http://www.gnupg.org/gph/en/manual.html
 
== Planning ==
 
 
PREREQUISITES:
 
* move all LUG mailing lists off google so non-gmail users can subscribe. consider setting up a server in the department's server room.
 
* implement ssl on the website
 
* write a simple RSVP web application
 

Revision as of 02:38, 9 February 2014

Gnupg logo.svg

Next keysigning party: none planned

A keysigning party is an event designed to help people verify each others' PGP keys, and strengthen the web of trust.

  • take control of your personal information
  • meet other interesting members of the privacy-aware community
  • learn about cryptography technologies widely used in industry
  • eat pizza

LUG@UCLA's keysigning party uses a slightly modified version of the Sassaman-Efficient method.

Instructions

I. RSVP

  1. If you haven't already, generate your PGP keypair: $ gpg --gen-key
    WARNING: make sure you understand the implications of holding a private key:
    • DO NOT generate it on a computer you don't own and have full control over.
    • DO NOT store your private key on Dropbox, Sky Drive, or any other cloud storage service.
    • DO use a very strong passphrase (multiple words, aka "phrase")
  2. If you haven't already, sync your public key with the pgp keyservers: $ gpg --send-keys <your key ID>
    WARNING: this is irreversible. Make sure you are prepared to protect your private key and you are using a very strong passphrase.
  3. Go to RSVP page: https://linux.ucla.edu/keysigning/
    • If you don't remember your fingerprint, use this command: $ gpg --fingerprint <your name>

II. Preparation

  1. 24 hours before the party, we will make available the final keylist and keylist checksum which you should download:
    $ wget https://linux.ucla.edu/keysigning/lists/keylist.txt
    $ wget https://linux.ucla.edu/keysigning/lists/keylist.txt.sha1
  2. Make sure your key fingerprint is on the list next to your name.
  3. Locally verify the checksum: $ sha1sum --check keylist.txt.sha1
  4. Append the checksum to the bottom of keylist.txt: $ cat keylist.txt.sha1 >>keylist.txt
  5. Print keylist.txt and keep safe.
    • For your convenience, here is a printable version. Be sure to verify the contents before printing.

III. The Party

  1. Bring the following:
    • printed copy of keylist.txt
    • One or more forms of ID (e.g. drivers license + Bruin card)
  2. make sure the keylist.txt checksum at the bottom of your printout matches the checksum projected onto the wall.
  3. Together, we will iterate over the keylist and each participant will make a statement that their fingerprint is correct. Put a check mark next to each person that has stated that their fingerprint is correct.
  4. When we finish going through the list, break formation and individually go to each person on your keylist to verify their identity. Add a second check mark next to each person that you verify. This indicates that you really believe they own that key.
  5. Keep your keylist printout safe.
  6. Don't forget to eat pizza!

IV. After the Party

  1. Retrieve your annotated keylist printout.
  2. Import the key of every person on the list with two check marks: $ gpg --recv-keys <key ID 1> <key ID 2> ... <key ID N>
  3. For every key with two check marks, sign the key: $ gpg --sign-key <their key ID>
  4. Send all your new key signatures to the keyservers: $ gpg --send-keys <key ID 1> <key ID 2> ... <key ID N>
    This strengthens the web of trust!

Q/A

Q: How do I install GnuPG (gpg)?
A: Most open source operating systems will include GnuPG by default. If GnuPG is not installed, and isn't provided by your operating system vendor, you should seriously consider switching to a better operating system. Come to LUG during Tutoring hours or attend our next Installfest and we will help you install GNU/Linux on your computer.

Q: Can't I just generate my PGP keypair on SEASNet lnxsrv?
A: NO! You must protect your private key. Generate it on your personal computer running an open source operating system. Virtual machines don't count.

Resources