Keysigning party

From Wiki | LUG@UCLA
Revision as of 12:43, 2 November 2013 by 75.85.58.98 (Talk)

Jump to: navigation, search
Gnupg logo.svg

Note Note: This page is for planning a keysigning party hosted by LUG@UCLA.

A keysigning party is an event for helping people verify each others' PGP keys and strengthening the web of trust.

  • take control of your privacy
  • meet other interesting members of the privacy-aware community
  • learn about cryptography technologies widely used in industry
  • eat pizza

LUG@UCLA's keysigning party uses a slightly modified version of the Sassaman-Efficient method.

Event information

  • Where: Boelter Hall 4760
  • When: TBA

Instructions

I. RSVP

  1. Generate your PGP keypair if you haven't already: $ gpg --gen-key
    WARNING: make sure you understand the implications of holding a private key, e.g. do not generate it on a computer you don't own and have full control over.
  2. Sync your public key with the keyservers: $ gpg --send-keys <your key ID>
    WARNING: this is irreversible. Make sure you are prepared to protect your private key and you are using a very strong passphrase.
  3. Figure out your key fingerprint and RSVP:

II. Preparation

  1. 24 hours before the party, we will make available the final keylist and keylist checksum which you should download:
    $ wget https://linux.ucla.edu/keysigning/keylists/keylist.txt
    $ wget https://linux.ucla.edu/keysigning/keyrings/keylist.txt.sha1
  2. Make sure your key fingerprint is on the list next to your name.
  3. Locally verify the checksum: $ sha1sum --check keylist.txt.sha1
  4. Append the checksum to the bottom of keylist.txt: $ cat keylist.txt.sha1 >>keylist.txt
  5. Print keylist.txt and keep safe.

III. The Party

  1. Bring the following:
    • printed copy of keylist.txt
    • One or more forms of ID (e.g. drivers license + Bruin card)
  2. make sure the keylist.txt checksum at the bottom of your printout matches the checksum projected onto the wall.
  3. We iterate through the list of keys, and each participant will make a statement that their fingerprint is correct. Put a check next to each person that has stated that their fingerprint is correct.
  4. We break formation. Go to each person on your list and verify their identity, adding a second check next to their name. This indicates that you really believe they own the key corresponding to the fingerprint listed next to their name.
  5. Keep your keylist printout safe.
  6. Don't forget to eat pizza!

IV. After the Party

  1. Retrieve your annotated keylist printout.
  2. For every person on the list with two check marks:
    • import that person's key into your local keyring: $ gpg --search-keys <their key ID>
    • indicate your trust in the person's identity:
      $ gpg --edit-key <their key ID>
      Command> trust
      [...]
       1 = Don't know
       2 = I do NOT trust
       3 = I trust marginally
       4 = I trust fully
      
      Your decision? 3
          
  3. send all your new signatures to the keyservers: $ gpg --send-keys <first key ID> <second key ID> ... <Nth key ID>

FAQ

Q: How do I install GnuPG (gpg)?
A: Most open source operating systems will include GnuPG by default. If GnuPG is not installed, and isn't provided by your operating system vendor, you should seriously consider switching to a better operating system. Come to LUG during Tutoring hours or attend our next Installfest.

Q: Can't I just generate my PGP keypair on SEASNet lnxsrv?
A: NO! You must protect your private key. Generate it on your personal computer running an open source operating system. VMs don't count.

Resources

Planning

PREREQUISITES:

  • move all LUG mailing lists off google so non-gmail users can subscribe. consider setting up a server in the department's server room.
  • implement ssl on the website
  • write a simple RSVP web application