Keysigning @ DebConf8
As part of the 9th Debian Conference in Mar del Plata, Argentina, there will be OpenPGP (pgp/gpg) keysignings.
To be announced after a time slot is assigned by the DebConf organizers.
What is keysigning and why do it
A keysigning party or meeting is a get-together of at least two individuals who use the PGP encryption system with the purpose of allowing them to sign each others keys. Keysigning parties serve to extend the web of trust (WoT) to a great degree. A useful metric of the WoT is the mean shortest distance (MSD) of a key.
Please read chapters one and two of the GnuPG Keysigning Party HOWTO (note: we are doing the party differently, so the other chapters do not apply completely).
How will the keysigning happen?
The keysignings will be based on the Efficient Group Key Signing Method by Len Sassaman and Phil Zimmermann which is a protocol to do keysignings in a way that is faster than the way many people may be familiar with.
To reduce the time spent checking ID documents, each participant will be placed in one of two groups after all the keys have been received. The groups will be organized after computer simulations are run to (heuristically) optimize the MSD of all participants.
The keysigning steps follow.
The deadline has now passed. If you haven't submitted your key yet, it's too late to get your key on the list. It's not, however, too late to participate altogether. Bring paper slips or business cards with your gpg fingerprint.
- Send your ascii armored, cleaned, minimized and clear-signed public key to email@example.com not later than 23:59 UTC on Saturday 26th of July, 2008. Multiple keys per armor are just fine. The signature will prove the owner of the key controls its private key (or at least one of the private keys).
- Please check that your version of gpg does support the export-clean option.
- Please do not encrypt your email.
- Please do not send attachments.
- Please do not encode your email.
- Example with two keys 0xfedcba98 and 0x76543210, signature is made with key 0xfedcba98:
- gpg --armor --export-options export-clean,export-minimal --export 0xfedcba98 0x76543210 > publickeyblock
- Then clear-sign publickeyblock with key 0xfedcba98 creating publickeyblock.asc:
- gpg --default-key 0xfedcba98 --clearsign publickeyblock
- Then email publickeyblock.asc as so:
- mail -s "KeySigning Party @ DebConf8" firstname.lastname@example.org < publickeyblock.asc
- Same example as a one-liner:
- gpg --armor --export-options export-clean,export-minimal --export 0xfedcba98 0x76543210 | gpg --default-key 0xfedcba98 --clearsign | mail -s "KeySigning Party @ DebConf8" email@example.com
- Another one-liner:
- (echo -e "To: firstname.lastname@example.org\nFrom: Your Full Name <email@example.com>\nBcc: firstname.lastname@example.org\nSubject: KeySigning Party @ DebConf8\n"; gpg --armor --export-options export-clean,export-minimal --export 0xfedcba98 0x76543210 | gpg --default-key 0xfedcba98 --clearsign) | sendmail -t
- Your key will be processed manually and if the submitted key is valid, an email will be sent back to you with your submitted key and it will be listed at http://people.debian.org/~anibal/ksp-dc8/names.html. If you find an error write immediately to email@example.com or firstname.lastname@example.org.
- At http://people.debian.org/~anibal/ksp-dc8/names.html, if you want your name linked to your photo, send an email to email@example.com.
- On Sunday, 27th of July, 2008 you will be able to fetch the complete keyring (ksp-dc8.gpg.bz2) with all the keys that were submitted along with a text file (ksp-dc8.txt) giving the fingerprint of each key on the ring.
- At http://people.debian.org/~anibal/ksp-dc8/ both the keyring and text files will have corresponding files with their SHA256 checksums. The SHA256 files will be signed with public key 0x1880283c, which can be downloaded from keyring.debian.org or db.debian.org.
- To verify the signuture of the SHA256 files, download anibal's key from db.debian.org, e.g.:
- finger firstname.lastname@example.org | gpg --import
- And then run gpg with the verify option (using ksp-dc8.txt.sha256.asc as an example):
- gpg --verify ksp-dc8.txt.sha256.asc
- Verify that the fingerprint of your key in ksp-dc8.txt is correct. Also compute the SHA256 hash of ksp-dc8.txt. One way to do this is with sha256sum invoked as follows:
- sha256sum ksp-dc8.txt
- Bring to DebConf the hash you computed and a hardcopy of ksp-dc8.txt.
- It is very important that you have verified at home the fingerprint of your key on the hardcopy.
- It is also very important that you have computed the hash at home.
- The SHA256 hash of ksp-dc8.txt will be published on the notice board near the organizers' office. Verify that one of the hashes matches what you computed. This guarantees that all participants are working from the same list of keys.
- During DebConf, look for participants in your assigned group.
- For each participant in your group:
- Compare the hash you computed with the other participant (if you will attend the meeting that will be anounced by Don Armstrong, the hash will be recited loudly).
- Ask if the other participant's gpg fingerprint on the hardcopy is correct.
- Verify each other's identity by checking preferably a passport or, alternatively, some other form of government issued ID. Please don't show very old, doubtful or easy-to-fake documents as people will not sign your key if you do so.
- If you are satisfied with the identification, mark on your hardcopy that the other participant's gpg fingerprint is correct and has been identified.
- Later that evening, or perhaps when you get home, you can sign the keys in ksp-dc8.txt which you were able to verify and identify.
- Please use Peter Palfrader's pgp-tools to sign keys using caff, one of the scripts of pgp-tools. The scripts are also available as the debian package signing-party.
What to bring with you
- A printout of ksp-dc8.txt; check that your fingerprint is correct.
- The SHA256 hash you made of ksp-dc8.txt so that we can ensure we are all working with the same copy.
- Some form of government issued ID (passport or similar).
- If this is your first keysigning, a copy of this web page and linked documents might be useful.
If you have questions please email Anibal Monsalve Salazar at email@example.com or ask Don Armstrong during DebConf.
The IRC channel to post your keysigning questions is #debconf-ksp at irc.debian.org.
Special thanks goes to Benjamin Mako Hill who provided the scripts and text used at Debconf4, Peter Palfrader who provided the scripts and text used at Debconf3 and LinuxTag (2003 and 2004) whose reuse made putting together this keysigning easy and possible.