LCA04 Tux logo
LCA04 Main Logo
spacer
Home
Call for Papers
Registration
LPI
RDP
Speakers
Abstracts
Programme
Miniconfs
Venue
Maps
Accommodation
Keysigning
HackFest
Media Centre
Partner Programme
News
Art
FIXITs (BOFs)
Works in Progress
Event Record
Dymocks Books
Inetd LiveCD
DVD
Speaker Coaching
FAQ
Thanks
About SA
Contact
Linux Australia
LinuxSA

Sponsors

[Penguin]

IBM

[Platinum]

Oracle

[Gold]

Sun Microsystems

HP

The University of Adelaide

[Silver]

NetCraft Australia

AARNet

Adrenalin

Inetd

CommSecure

Apple

Internode

ACS

EverythingLinux

[Media]

Australian Developer Magazine

Other LCAs

2005 Canberra
...
2003 Perth
2002 Brisbane
2001 Sydney
1999 Melbourne

 

LCA 2004 started at Wed Jan 14 08:00:00 2004.

LCA2004 Keysigning Procedure

Keysigning now closed: download keyring and keylist now

The final conference keyring and keylist have been generated, and no more keys will be accepted. If you sent your key in for the keysigning, you need to:

  1. Download the archive (lca2004keysigning.tar.gz)
  2. Uncompress and untar it (eg: 'tar zxf lca2004keysigning.tar.gz'). Inside it you'll find keylist.txt and keyring.asc, along with md5 and sha1 sums.
  3. Print the keylist.txt file using a monospace font. You may need to use a small font size or landscape layout to make it fit.
  4. Check the md5sum of keylist.txt (eg: 'md5sum keylist.txt') and write it down on your hard copy. It should be 'bc718b3fba8baccba89c6ca1ba898359'.
  5. Physically sign your hard copy of the list so you know it's yours, and no-one can substitute a bogus copy on the day.
  6. Come to LCA, and bring your photo ID and a pen!


This procedure is provided as a guide to how the keysigning will be run at LCA2004.

These instructions assume you are running GnuPG directly from the command line--if you are using a GUI such as GPGP please consult the documentation of your software for equivalent commands.

Other documentation you might find useful:

  • http://www.cryptnet.net/fdp/crypto/gpg-party.html
  • http://www.herrons.com/kb2nsx/keysign.html
  • http://people.debian.org/~stevenk/keysigning.html

    This document is divided into three sections:
    Before the keysigning - things you have to do before you turn up.
    At the keysigning - the procedure we'll be using is a bit unusual, read this so you don't feel lost.
    After the party - what to do when you get home and start signing keys.

    Before the keysigning:

    1: Send your key details to lca2004-keys@linuxsa.org.au, like so:

      gpg --export -a keyid | mail -s "LCA2004 keysigning" lca2004-keys@linuxsa.org.au

    by no later than midnight EDST Monday 5th Jan 2004 (ie: a week before the Miniconfs start). All keys will need to be compiled into a master keyring and a list generated before the event, so if you don't get your key in by then, bad luck. No late entries will be accepted, although you are still welcome to attend the keysigning to sign other keys or do 1:1 signings. You have been warned!

    Note that 'keyid' here and for the rest of the document refers to your key ID, usually a hexadecimal number like '64011A8B' or just an email address or username like 'jon@debian.org' or 'jon'. The above command will output an ASCII-armoured copy of your public key and mail it to the keysigning organisers.

    1.5: The keysigning organisers will collate a big list of keys and details sent in from all the participants and publish the list on this page on Tuesday Jan 6th, 2004 to give international delegates time to access it prior to departure. Along with the list will be a gpg keyring of all the public keys of the attendees.

    2: Grab the list and print it out. md5sum the list, too, and write that down (on the back of the list or somewhere you won't lose it).

    At the keysigning:

    In order to speed up the process we will be running the keysigning slightly differently than the way you may have done it before.

    You will need to bring:

    1. Yourself
    2. 2 forms of photo ID, at least one of which is issued by the government, carrying the same name as on your key. Passports, drivers licenses, 18+ cards, etc, good examples. They must be READABLE!
    3. A handful (say, 20 or so) of your key ID, key type, fingerprint, and key size printed out on paper. Running:

        gpg --fingerprint keyid | lpr

      should suffice for this.

    4. A pen or pencil. Don't forget this!
    5. The list you printed out above, and the md5sum. Lists will be available at the event itself, but you're too paranoid to trust that the organisers haven't sabotaged all the keys, right?

    The procedure will run as follows:

    1. At the keysigning, the md5sum of the list will be displayed, and everyone will be asked to confirm that the md5sum as displayed is the same as the md5sum for the list you downloaded. If it matches, you know the list you have was not tampered with, and that everyone is reading from an identical list.
    2. Check your own entry on the list, verifying that your details (particularly the fingerprint) are correct.
    3. Each participant will be called upon in turn to come to the front of the theatre, and state that their details on the list are correct. Participants should note down any people who state their details are not correct.

      Place a tick next to their name if their details are correct.

    4. They will also place their 2 forms of ID in front of a video camera, which will project their ID and their face for all to see (clearly, we hope!). The organisers will also check their ID close up. Participants should note down any people who do not pass the ID check.

      Place a second tick next to their name if you feel that their ID is sufficient.

    5. Once the ID check is complete, people are free to mingle, discuss PKI and so forth, and engage in smaller keysigning rituals with those people who turned up on the day without registering their key with the organisers. The handful of fingerprints you brought with you will be useful here. People are encouraged to get paranoid and use Manoj's key signing protocol: http://people.debian.org/~jaqque/keysign.html

    After the party:

    1. Participants may now take their lists home, and download the keyring of all keys on the list if they haven't done so already. The keyring will be md5summed before the keysigning and that value displayed on the list. In their own time (i.e. maybe up to a week later, once they get home from the conference) participants may sign all keys for which they are satisfied that the person passed their ID check and that the key on the list is theirs.
    2. Fire up your computer running GPG, and get out your key list from the party. At this point, most of the people on your list should have 2 ticks next to their name. You can now sign those keys.
    3. Public keys of every participant will be made available with the list, which you can import into your local gpg keyring by:

        gpg --import lca2004-keyring.gpg
    4. Fingerprint each key in turn:

        gpg --fingerprint keyid

      where keyid now refers to some unique part of the person's key that you are signing, whether it be Key ID or email address.

      This will give you a fingerprint that you need to verify against the one printed on your list of keys from the keysigning party. If it doesn't match, DON'T SIGN IT!

    5. Now the moment of truth, you can actually sign the key:

        gpg --sign-key keyid
    6. Once keys are signed, it is a good idea to mail the signed key to the owner of that key personally, rather than uploading it to a keyserver.

      Export the key to ASCII, using

        gpg --export -a keyid > keyid.asc

      and send a signed, encrypted mail to that person with their ASCII armoured key as an attachment. This way the recipient must be in control of the private key in order to decrypt the key with your signature, and they themselves will merge it into their own key and upload it to a keyserver if they so desire. You shouldn't upload a key to a keyserver if it wasn't there to begin with, so let the owner of the key decide where they wish to publish it.

    7. Repeat steps 4 to 6 until all the keys you wish to sign are signed and sent to their owners.

    About this time, you'll start to get emails back from other people who were at the party who have signed your key. When you receive a signed key from a participant of the keysigning, enter your passphrase to decrypt the message, verify the signature is correct, save the attachment, and import it into your own key using

      gpg --import keyid.asc

    You'll then have a whole lot more signatures on your key, which was, after all, the whole point of the exercise! ;-)


    This documentation was compiled by Jonathan Oxer, based on the Debian MiniConf2 Keysigning Procedure written by Jamie Wilkinson, Matt Hope and Jonathan Oxer.

  • Linux® is a registered trademark of Linus Torvalds.
    The original Tux penguin is Copyright © by Larry Ewing.
    All material on this page is Copyright © "Linux Australia" unless otherwise noted.