Keysigning Party

From HudLUG

Contents 1 Where?/When? 2 What's a key-signing party? 3 What do I need for this party? 4 GPG Phrasebook OR How to make it work, Fast 5 Recommended Programs 6 Other useful PGP links 7 What if I still have a question?

Where?/When?

The next meeting is on the Monday 5th September at Vox Bar.

The 'party' should last around 20-30 minutes.

What's a key-signing party?

A key-signing party is a get-together with PGP users for the purpose of meeting other PGP users and signing each other's keys. This helps to extend the "web of trust" to a great degree.

What do I need for this party?

Required Items

• Physical attendance
• Positive picture ID
• Your Key ID, Key type, HEX fingerprint, and Key size
• A pen/pencil or whatever you'd like to write with....
• Most people recommend not to bring a computer. Personally i think that its alright as long as you a) dont sig n other keys during the meeting b) are aware of people activitys on there computers during the process.

Required Process This looks more complicated than it actually is

For a step by step cli tour of how to do this see below.

• Generate a key/Remember your pass phrase
• All attendees send their public keys to a public keyserver. For this party, we'll use wwwkeys.uk.pgp.net. If for some reason you don't want your key to be in a public keyserver, but still want to participate, please let me know.
• All attendees send their key ID, key type, fingerprint, and key size to the host, oris@tancdevelopments.co.uk,
• The host prints a list with everyone's key ID, key type, fingerprint, and key size from the compiled keyrings and distributes copies of the printout at the meeting.
• Attend the party. Bring along a paper copy of your key ID, key type, fingerprint, and key size that you obtained from your own keyring. You must also bring along a suitable photo ID.You are to make two marks on the listing, one for correct key information (key ID, key type, fingerprint, and key size) and one if the ID check is ok.
• At the meeting each key owner reads his key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID's to sign or not. If the key information matches your printout then place a check-mark by the key.
• After everyone has read his key ID information, have all attendees mustmake sure they have spoken to everybody else on the list.
• If you are satisfied that the person is who they say they are, and that the key on the printout is theirs, you place another check-mark next to their key on your printout.
• That is all for the pysical meeting.
• After confirming that the key information on the key server matches the printout that you have checked, sign the appropriate keys. Keys can only be signed if they have two check-marks.
• Send the signed keys back to the keyservers.
• Use those keys as often as possible.

GPG Phrasebook OR How to make it work, Fast

Generate your gnupg keys

 bash$ gpg --gen-key

Select the key types you want - The default is good.

 Please select what kind of key you want:
 (1) DSA and ElGamal (default)
 (2) DSA (sign only)
 (4) ElGamal (sign and encrypt)
 Your selection? <return>

Select your key size: 2048

 DSA keypair will have 1024 bits.
 About to generate a new ELG-E keypair.
 minimum keysize is 768 bits
 default keysize is 1024 bits
 highest suggested keysize is 2048 bits
 What keysize do you want? (1024) 2048<return>
 Do you really need such a large keysize? yes<return>

Set the lifetime of this key: 5 years is good

 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
 0 = key does not expire
 <n> = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
 Key is valid for? (0) 5y<return>
 Key expires at Sun Sep 21 16:17:15 2005 EDT
 Is this correct (y/n)? y<return>

Enter your name and email address(es)...

 Real name: Demo User<return>
 Email address: demo@nonexistent.nowhere<return>
 Comment:
 You selected this USER-ID:
 "Demo User <demo@nonexistent.nowhere>"

 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O<return>  

Choose a pass phrase. You need to pick a good one. It should be long and very difficult to guess. It should be something you won't forget. If you forget your pass phrase, you cannot recover your key.

Move the mouse and hit some keys maybe update locate in the background or run a big find. GPG is reading from /dev/random to get some randomness for your key generation. /dev/random is populated in part by interrupts. Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:

 bash$ gpg --list-secret-keys

 /home/demo/.gnupg/secring.gpg
 ----------------------------
 sec 1024D/C01BAFC3 2000-09-21 Demo User <demo@nonexistent.nowhere>
 ssb 2048g/7A4087F3 2000-09-21
 bash$ gpg --edit-key C01BAFC3
 Command> help
 Command> adduid
 [...]
 Command> save

Send your key to the keyserver:

 $ gpg --keyserver wwwkeys.uk.pgp.net --send-key <Your_Key_ID>

You should see a success message like this:

 gpg: success sending to `wwwkeys.uk.pgp.net' (status=200) 

Go to meeting Back at home and ready to sign Get a copy of the key

Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg --import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring.

 bash$ gpg --keyserver wwwkeys.uk.pgp.net --recv-keys <Key_ID>

If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

Fingerprint and Verify the key

 bash$ gpg --fingerprint <Key_ID>

GPG will print out the fingerprint of the Key with <Key_ID > (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

Sign the key

 bash$ gpg --sign-key <Key_ID>

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

Return or Upload the signed key

bash$ gpg --keyserver wwwkeys.uk.pgp.net --send-key <Key_ID>

You should see a success message like this:

gpg: success sending to `wwwkeys.uk.pgp.net' (status=200)

Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.

Recommended Programs

• Seahorse
• GPA

Other useful PGP links

A few more links for PGP newbies, or those who wish to re acquaint themselves.

   * http://www.pgpi.org/ -- The International PGP Home Page
   * http://www.pgpi.org/download/ -- Download PGP
   * http://www.gnupg.org/ -- GNU PGP (Linux)
   * http://www.pgpi.org/products/tools/search/ -- PGP Tools, Shells, and Plugins 

What if I still have a question?

If you'd like some help answering it, you can contact the event coordinator, Thomas Porteus via email at oris@tancdevelopments.co.uk.