Difference between revisions of "Keysigning 2016-02-21"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Echarlie
imported>Echarlie
(What you need to do in order to attend)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Keysigning party? Keysigning party!
 
Keysigning party? Keysigning party!
  
Direct all questions to '''echarlie at vtluug.org'''
+
Direct all questions to '''<code>echarlie at vtluug.org</code>'''
  
The purpose of this keysigning party is to bring bring together a meeting of
+
The purpose of this keysigning party is to bring bring together
 
people who are interested in cryptography and/or digital privacy with the
 
people who are interested in cryptography and/or digital privacy with the
 
goal of strengthening the web of trust.
 
goal of strengthening the web of trust.
Line 9: Line 9:
 
VTLUUG hosts these from time to time to promote cryptography standards such as
 
VTLUUG hosts these from time to time to promote cryptography standards such as
 
PGP, to raise awareness of cryptography, and to allow members to authenticate
 
PGP, to raise awareness of cryptography, and to allow members to authenticate
each other for distribution of semi-sensitive information
+
each other for distribution of semi-sensitive information.
  
 
Some samples on running keysigning parties:
 
Some samples on running keysigning parties:
Line 16: Line 16:
  
 
Event on biglumber: http://biglumber.com/x/web?ev=28819
 
Event on biglumber: http://biglumber.com/x/web?ev=28819
 +
 
We '''could''' add an event keyring, or perhaps a long-time even with keyring, to simplify
 
We '''could''' add an event keyring, or perhaps a long-time even with keyring, to simplify
 
identification of members with keys, and to ease the process of fetching all of the keys, however
 
identification of members with keys, and to ease the process of fetching all of the keys, however
Line 47: Line 48:
 
medium such as email. This only works, however, if you have some method of
 
medium such as email. This only works, however, if you have some method of
 
verifying that the other party is indeed who they claim to be. This problem
 
verifying that the other party is indeed who they claim to be. This problem
is solved through keysigning: you are verifying first hand that the other
+
is solved through keysigning: you are verifying first-hand that the other
party's identity and key match as well as declaring this to anyone who
+
party's identity and key match, as well as declaring this to anyone who
 
trusts you. These interconnected chains of verification form a web of trust
 
trusts you. These interconnected chains of verification form a web of trust
 
and allow secure communication between previously unacquainted or unverified
 
and allow secure communication between previously unacquainted or unverified
Line 56: Line 57:
 
generate one. For the Linux and BSD operating systems, we recommend [http://gnupg.org GnuPG] version 2.0 or later
 
generate one. For the Linux and BSD operating systems, we recommend [http://gnupg.org GnuPG] version 2.0 or later
 
or one of its frontends such as [http://www.gnupg.org/related_software/gpa/index.en.html GPA] or [http://projects.gnome.org/seahorse/ Seahorse]. For Windows we
 
or one of its frontends such as [http://www.gnupg.org/related_software/gpa/index.en.html GPA] or [http://projects.gnome.org/seahorse/ Seahorse]. For Windows we
suggest [http://www.gpg4win.org Gpg4Win]. For OSX we suggest [https://gpgtools.org/ GPG Tools] Both OSX and Windows can run the official GnuPG client,
+
suggest [http://www.gpg4win.org Gpg4Win]. For OSX we suggest [https://gpgtools.org/ GPG Tools]. Both OSX and Windows can run the official GnuPG client,
 
if you are okay with working from the command line. Follow the associated documentation to generate a keypair,
 
if you are okay with working from the command line. Follow the associated documentation to generate a keypair,
or refer to the ArchWiki Page on GnuPG
+
or refer to the ArchWiki Page on GnuPG.
 
   
 
   
 
If you wish to attend, please bring '''two forms of valid identification''' as well as paper copies of your key fingerprint.
 
If you wish to attend, please bring '''two forms of valid identification''' as well as paper copies of your key fingerprint.

Latest revision as of 16:09, 20 February 2016

Keysigning party? Keysigning party!

Direct all questions to echarlie at vtluug.org

The purpose of this keysigning party is to bring bring together people who are interested in cryptography and/or digital privacy with the goal of strengthening the web of trust.

VTLUUG hosts these from time to time to promote cryptography standards such as PGP, to raise awareness of cryptography, and to allow members to authenticate each other for distribution of semi-sensitive information.

Some samples on running keysigning parties:

Event on biglumber: http://biglumber.com/x/web?ev=28819

We could add an event keyring, or perhaps a long-time even with keyring, to simplify identification of members with keys, and to ease the process of fetching all of the keys, however that takes a critical mass of interest in the event.

Time/Date

Plan

Verify identities for signing PGP keys, with food and door prizes.

  • Invite your friends
  • Upload keys to VT keyserver
  • Signing GPG keys (Maybe CACerts too, depending on demand)

What you need to do in order to attend

  • Have a GPG key (if you don't have one, we can help you at a meeting Thursday at 8:30 in TORG 1040 or via IRC on #vtluug )
    • Upload it to the VT keyserver
  • Sign up for the event here
  • Bring 2 forms of IDs (Driver's license + Hokie ID will do, for example) and your Key Fingerprint (to reduce errors in transcribing)
  • >> Read the instructions <<
    • These instructions are dated, and thus are not correct. They *do* provide a good guideline, however, of how this will run.

OpenPGP is a cryptographic standard that allows for secure, confidential, non-reputable, and verifiable communication over an otherwise untrusted medium such as email. This only works, however, if you have some method of verifying that the other party is indeed who they claim to be. This problem is solved through keysigning: you are verifying first-hand that the other party's identity and key match, as well as declaring this to anyone who trusts you. These interconnected chains of verification form a web of trust and allow secure communication between previously unacquainted or unverified communicators.

If you do not already have an OpenPGP key, please acquire a client and generate one. For the Linux and BSD operating systems, we recommend GnuPG version 2.0 or later or one of its frontends such as GPA or Seahorse. For Windows we suggest Gpg4Win. For OSX we suggest GPG Tools. Both OSX and Windows can run the official GnuPG client, if you are okay with working from the command line. Follow the associated documentation to generate a keypair, or refer to the ArchWiki Page on GnuPG.

If you wish to attend, please bring two forms of valid identification as well as paper copies of your key fingerprint.

The Procedure

This is merely a summary: Please refer to other sources, and the GnuPG documentation for a better understanding of what each piece entails.

  1. Generate a keypair and upload it to the VT Keyserver
  2. Bring your ID; bring multiple printouts of your key fingerprint (think 30 to 50)
  3. Everyone will sign in at the party
  4. When most of the participants have arrived, we will form a line, and everyone will rotate down the line, meet everyone else, and verify their ID against their name.
  5. When the party ends, you go to a secure place, download keys for other users, sign them, and sync them against the server