Keysigning

Drake Diedrich dld at coyote.com.au
Wed Nov 21 14:52:01 EST 2001 

On Mon, Nov 19, 2001 at 05:27:12PM +1100, David Clarke wrote:
> Howdy,
> 	On Thursday's clug me and a few friends would like to get our
> gpg keys signed.  Just wondering if there are many people coming that
> would be up for that.  Anyways we'll be the 3 or so people, in a group
> looking lost and confused :)
> 
> 	David.

   Yeah, I was briefly enthusiastic about getting cross signatures when I
discovered I was #8151 out of about 10,000 in the strong set of connected
GPG keys.  Three keysignings later I'd advanced about a hundred positions,
and then attendance dropped due to conferences or something.  Now Tridge
seems to be sitting at 200-something, and could do a lot for the rest of our
rankings if he'd turn up..   I'll wear a red jacket and be playing with a
new fridge-colored iBook.  :)

   A map of the clug keyring cross signatures, and a few interesting remote
keys such as CERT, Kernel Archives, etc is available at
http://www.coyote.com.au/~dld/clug.ps.gz
  Let me know if you're not on this map and I'll add you to the list of
interesting keys used to make the diagram.


   Here are the instructions again: modified to use the pgp.dtype.org
server, since it's the most central and available (sorry about the AU server
recommendation earlier).  Note that these are far from the most paranoid
keysigning procedures (no exchange of email to verify Name->email mapping),
and are not the most efficient (no central organizer), but should continue
to function in a CLUG-like Ad Hoc networking manner.

In Summary:

        gpg --gen-key
        gpg --keyserver pgp.dtype.org --send-keys {key-id}
	gpg --fingerprint {key-id} | CLUG
	gpg --keyserver pgp.dtype.org --recv-keys {key-id} {key-id} ...
		gpg --edit {key-id}
		fpr
		sign
		save
	gpg --keyserver pgp.dtype.org --send-keys {key-id} {key-id} ...


In Full form:

1) Generate a key on your own (private, secure) system.

	gpg --gen-key


	(gpg automatically self-signs keys, if using PGP 2.6.3 you'll
	 need to add this step)


     ( You may have multiple identities (email addresses) on the same key,
       but people individually sign the identities-with-key, so be polite
       and keep the number to a minimum, preferably only slowly changing
       addresses.)

2) Upload your public key to the public keyservers

	gpg --keyserver wwwkeys.au.pgp.net --send-key {key-id}

   ( {keyid} is the ID number or some other distinctive feature of your
     key, like the email address you typed in during key generation )

   (the truly paranoid keep their private keys only on offline machines,
    but if you were this paranoid you've already read the real docs)


3) Print out a bunch of copies of your public key fingerprint

	gpg --fingerprint {key-id}


4) Go to CLUG, bringing copies of your fingerprint.  No need to bring a
   computer.

   Walk around looking for other people with papers, business cards,
passports, and drivers licenses in their hands.  Introduce yourself,
exchange fingerprint cards, and temporarily exchange photo ID.  Verify that
the name on the photo ID is the name on the fingerprint.  Make a note to
yourself that you've verified this, return the photo ID, and put the
fingerprint card in your pocket.  {Note, remember not to wash pants before
removing fingerprint notes}


5) At home, dig out all fingerprints.  Pull down all of the public keys from
the keyserver. =20

	gpg --keyserver wwwkeys.au.pgp.net --recv-key {key-id} {key-id}  ...

Now, this is the whole point of the entire exercise:

VERIFY THAT THE KEY FROM THE KEYSERVER HAS THE SAME FINGERPRINT AS THE ONE
YOU RECEIVED IN PERSON.

Sign the public key.

	gpg --edit {key-id}
	fpr
	sign
	save


   If you lose the fingerprint cards, don't sign the key.  You've just
wasted an evening.  ( I've done this twice at conferences now..)


6) Upload the signed key to a public keyserver (they merge signatures, so no
worry about overwriting each other).

	gpg --send-keys {key-id} {key-id} {key-id} ...



To save typing and bandwidth, a few useful additions to your .gnupg/options:

default-key 0xWHATEVER
load-extension idea
keyserver pgp.dtype.org
honor-http-proxy

   And then, not only can you sign messages, but other CLUG members might
be able to verify them!


-Drake


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 350 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20011121/3b0dbfac/attachment.bin

More information about the linux mailing list