CLUG July 26th
Drake Diedrich
dld at coyote.com.au
Wed Jul 25 16:11:05 EST 2001
On Tue, Jul 24, 2001 at 05:47:32PM +1000, Paul Matthews wrote:
> The July CLUG is next Thursday night (the 26th)
It's been suggested many times that we should have key signings at CLUG,
but except for a few required-to-join-Debian signatures it's never happened.
There is now a monthly analysis of the connectedness of strongly connected
key ( http://dtype.org/keyanalyze/ ), including most Debian keys, the Kernel
archives, ... My own key is 8000-something out of ~10,000 strongly
connected keys. This is embarrasing. CLUG is an excellent place to sign
other keys and get your own key signed and into the strong set. If we could
get 1% of Canberra to exchange signatures we'd bring the center of mass of
the strong set right here and own the top ~3000 keys, and be the
cryptographic center of the world. ( What shall we do this month at CLUG
Brain? }:} )
What you need to do (waiting an hour or two for the inevitable
corrections..):
In Summary:
gpg --gen-key
gpg --keyserver wwwkeys.au.pgp.net --send-keys {key-id}
gpg --fingerprint {key-id} | CLUG
gpg --keyserver wwwkeys.au.pgp.net --recv-keys {key-id} {key-id} ...
gpg --edit {key-id}
fpr
sign
save
gpg --keyserver wwwkeys.au.pgp.net --send-keys {key-id} {key-id} ...
In Full form:
1) Generate a key on your own (private, secure) system.
gpg --gen-key
(gpg automatically self-signs keys, if using PGP 2.6.3 you'll
need to add this step)
( You may have multiple identities (email addresses) on the same key,
but people individually sign the identities-with-key, so be polite
and keep the number to a minimum, preferably only slowly changing
addresses.)
2) Upload your public key to the public keyservers
gpg --keyserver wwwkeys.au.pgp.net --send-key {key-id}
( {keyid} is the ID number or some other distinctive feature of your
key, like the email address you typed in during key generation )
(the truly paranoid keep their private keys only on offline machines,
but if you were this paranoid you've already read the real docs)
3) Print out a bunch of copies of your public key fingerprint
gpg --fingerprint {key-id}
4) Go to CLUG, bringing copies of your fingerprint. No need to bring a
computer.
Walk around looking for other people with papers, business cards,
passports, and drivers licenses in their hands. Introduce yourself,
exchange fingerprint cards, and temporarily exchange photo ID. Verify that
the name on the photo ID is the name on the fingerprint. Make a note to
yourself that you've verified this, return the photo ID, and put the
fingerprint card in your pocket. {Note, remember not to wash pants before
removing fingerprint notes}
5) At home, dig out all fingerprints. Pull down all of the public keys from
the keyserver.
gpg --keyserver wwwkeys.au.pgp.net --recv-key {key-id} {key-id} ...
Now, this is the whole point of the entire exercise:
VERIFY THAT THE KEY FROM THE KEYSERVER HAS THE SAME FINGERPRINT AS THE ONE
YOU RECEIVED IN PERSON.
Sign the public key.
gpg --edit {key-id}
fpr
sign
save
If you lose the fingerprint cards, don't sign the key. You've just
wasted an evening. ( I've done this twice at conferences now..)
6) Upload the signed key to a public keyserver (they merge signatures, so no
worry about overwriting each other).
gpg --send-keys {key-id} {key-id} {key-id} ...
To save typing and bandwidth, a few useful additions to your .gnupg/options:
default-key 0xWHATEVER
load-extension idea
keyserver wwwkeys.au.pgp.net
honor-http-proxy
And then, not only can you sign messages, but other CLUG members might
be able to verify them!
-Drake
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 350 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20010725/d50007c1/attachment.bin
More information about the linux
mailing list