Latest list posts

Re: [MLUG] Ubuntu Wireless - George_Moulton (Sat, 11 Oct 2008 17:02:34 -0500)
[MLUG] Digital Capture Cards - Paul Schmidt (Sat, 11 Oct 2008 16:55:54 -0500)
Re: [MLUG] Ubuntu Wireless - Paul Schmidt (Sat, 11 Oct 2008 16:33:06 -0500)
Re: [MLUG] Ubuntu Wireless - Joe Baker (Sat, 11 Oct 2008 16:26:33 -0500)
[MLUG] Ubuntu Wireless - George_Moulton (Sat, 11 Oct 2008 16:05:10 -0500)

MLUGKeySigningParty

history similar comment attach file

Instructions for MLUG Key Signing Parties

Instructions for MLUG Key Signing Parties

The first widely available tool for generating and using key pairs for public key cryptography was called PGP (Pretty Good Privacy). The GNU project subsequently developed a tool called GPG (GnuPrivacyGuard), that by default generates keys that are compatible with the PGP tool and are compliant with the OpenPGP standard. Because I am not sure exactly how interchangeable the keys generated by GPG and PGP are, and since I am working with GPG, I will refer to all keys as GPG keys in this document. If you use PGP you should still be able to participate in MLUG key signing parties as long as you are using OpenPGP compliant keys. Informal key signing parites will be held after every MLUG meeting. The following people are interested in signing other people's key and getting their key signed by other people.

Sean Malloy

Part I: Preparations

I'd like everybody who wants to participate to do a little bit of preparation first:

1. Generate a GPG Key Pair.

The command to do this, if you don't already have one, is:

gpg --gen-key

The above command is interactive. Entering the defaults will generate a good key. The only values you can't default are your name, comment, and email address. After you've entered everything, GPG generates a key pair and puts the public key on your public key ring and your private key on your private ring.

Some of the following instructions require a 'key id'. One way to find out what your 'key id' is, is to get a list of your public keys from GPG. GPG will show the 'key id' for each key.

You can get a list of your public keys with:

gpg --list-keys

Here is what the above command spit out to my console:

 phil@castle:phil$ gpg --fingerprint
 gpg: Warning: using insecure memory!
 gpg: please see http://www.gnupg.org/faq.html for more information
 /home/phil/.gnupg/pubring.gpg
 -----------------------------
 pub  1024D/EF52DFFF 2003-03-18 Phil Goembel (Correspondence) <phil-goembel@wi.rr.com>
      Key fingerprint = EA08 E00D 9202 EF0B 6217  A7BD E187 4DB3 EF52 DFFF
 sub  1024g/38157C01 2003-03-18 [expires: 2004-03-17]
 (more keys... )

There were a lot more keys - I'm only showing the listing for the public key that I want to get signed. The 'key id' I'm interested in is EF52DFFF, which is the 8 characters following 'pub 1024D/' above. These are actually just the last 8 (hexadecimal) digits of the key's fingerprint.

Notice that GPG issued a warning about insecure memory. This message can safely be ignored unless you are extremely cautious about security. The way to fix it is to run GPG as root, but that involves some risk too. I really don't want to get into that stuff here.

2. Register your GPG public key with the MIT public key server.

The simplest way to do this is to tell GPG to send the key directly to the server:

gpg --keyserver pgp.mit.edu --send-key 'key id'

3. Print out your key ID, key fingerprint, key type, and key size

The easiest way is to execute the following command and bring several printouts of the result:

gpg --fingerprint 'key id'

Note on Preparations:

I've purposely left out a lot of detail in the above instructions. If you need help post a question on the MLUG mailing list. You can also get some help from the Gnu Privacy Handbook and from the Key Signing Party HOWTO.

Part II: Partying

1. What to Bring

Here is what the Key Signing Party HOWTO recommends:

1. Yourself - you cannot participate virtually. 2. Positive picture ID - a driver's license and passport are good. 3. Key ID, Key Type, Key Fingerprint and Key Size information. 4. A pen or pencil.

Bring another form of ID if possible, like credit cards, birth certificate, social security card, etc. If you do have more photo IDs, then by all means bring them.

Getting your key id, key type, key fingerprint, and key size is explained in the 'Preparations' section above.

2. What to do

Despite the misnomer "key signing", what we really are doing at the party is verifying everybody's identity and verifying their key fingerprints. The actual key signing will take place later.

Forming a Web of Trust

The purpose of the party is to form a web of trusted GPG keys. The web of trust is formed by linking keys to each other through signatures.

The idea is that once you have assured yourself that the owner of a public key is who they say they are, you will sign their public key with your private key. Your signature on someone's public key tells everybody that you verified their idenity and that you believe they are the owner of the public key that they presented to you.

Part III: Followup

Here we go into the final steps like verifying email addresses, signing keys, and updating the trust database.

Signing Keys

So far, I've only signed the keys of people I know personally, and people whose identities and signatures I verified at the party and with whom I've had two-way communications. I am currently following a rule of not signing a key until I am sure all the information stored with it is correct, including both the name and the email address (the comment field doesn't appear to apply, so far). To verify an email address, I need to know that the key owner can both receive and reply to email sent to that address.

This is how I've been signing keys:

First, to make sure the key is on your public keyring and is up to date, fetch it from the MIT server:

gpg --keyserver pgp.mit.edu --recv-keys 'key id'

If the version on the server has new signatures or has been changed in any way (e.g. revoked), those changes will be recorded on (or merged into) your local public key ring.

Then sign the key:

gpg --sign-key 'key-id'

Then send it back to the server:

gpg --keyserver pgp.mit.edu --send-keys 'key-id'

All the information about the key, from your local key ring, will be merged back into the server's database.

GUI Front Ends

I'm looking at some front ends to gpg. Here is a list I got from the gnupg.org website:

GnomePGP:
Is a GNOME desktop tool to control GnuPG. (this project appears to be dead - ? User Page" href="tiki-index.php?page=UserPagePhilG" class="wiki">pg)
GPA:
Aims to be the standard GnuPG graphical frontend. GPA is hosted on this site. (I started to build the stable release, but the stable release depends on an unstable release of the GPGME library, so I decided not to finish the build)
I see that there are RPM packages for some Red Hat derivatives like Mandrake, so if you have one of those distros you may want to try installing GPA and then let me know what you think of it.
KGpg:
Is a KDE frontend for GnuPG.
Seahorse:
Is a GNOME frontend for GnuPG.
TkPGP:
Is another graphical tool to control GnuPG.
WinPT:
Is a MS-Windows program to integrate GnuPG into the Desktop.
XAP:
Is the X application panel and filemanager.