PGP Key-signing Party
Where?
Keg South
12805 SW 136th Ave
Miami Fl.
(pretty much corner of 128th st and sw 137th ave)
click for map
When?
Dec 29th, 2000
8pm to 10pm
The 'party' will start at 8pm and go until at least 10pm or so. We will
start the key-signing process when gregs crew arrives. You may, of course,
arrive earlier or later. Ill be there early to try to secure us a big ole
table, the crew from up north will probably be arriving later.
e-TechServices will *not* be
sponsoring the first $100 of beer at this event, but they did that last time
and as such should be recognized and thanked again. Especially since
this page is pretty much stolen from them ;) This time it is each man/woman
for themselves. I tried to get FIU to let me put it on the procard, but
purchasing just is not hip. But I imagine that we will have a good bunch
of beer and food anyway. Keg South has excellent wings and fabulous burgers.
What's a key-signing party?
A key-signing party is a get-together with PGP users for the purpose of
meeting other PGP users and signing each other's keys. This helps to
extend the "web of trust" to a great degree. Also, it sometimes serves as a
forum to discuss strong cryptography and related issues.
What do I need for this party?
Required Items
- Physical attendance
- Positive picture ID
- key ID, key type, HEX fingerprint, and key size
- A pen/pencil or whatever you'd like to write with....
- NO computer
Required Process
- Generate a key/Remember your pass phrase
- All attendees send their public keys to a public keyserver. For this
party, we'll use search.keyserver.net. If for some reason you don't want
your key to be in a public keyserver, but still want to participate, let
me know and I can change the protocol.
- All attendees send their key ID, key type, fingerprint, and key size to
the host, esj@cs.fiu.edu,
who will compile everyone's key information.
- The host prints a list with everyone's key ID, key type, fingerprint,
and key size from the compiled keyrings and distributes copies of the
printout at the meeting.
- Attend the party. Bring along a paper copy of your key ID, key type,
fingerprint, and key size that you obtained from your own keyring. You
must also bring along a suitable photo ID. Instruct the attendees at the
beginning that they are to make two marks on the listing, one for correct
key information (key ID, key type, fingerprint, and key size) and one if
the ID check is ok.
- At the meeting each key owner reads his key ID, key type, fingerprint,
key size, and user ID from his own printout, not from the distributed
listing. This is because there could be an error, intended or not, on the
listing. This is also the time to tell which ID's to sign or not. If the key
information matches your printout then place a check-mark by the key.
- After everyone has read his key ID information, have all attendees form a line.
- The first person walks down the line having every person check his ID.
- The second person follows immediately behind the first person and so on.
- If you are satisfied that the person is who they say they are, and
that the key on the printout is theirs, you place another check-mark
next to their key on your printout.
- Once the first person cycles back around to the front of the line he
has checked all the other IDs and his ID has been checked by all others.
- After everybody has identified himself or herself the formal part of
the meeting is over. You are free to leave or to stay and discuss
matters of PGP and privacy (or anything else) with fellow PGP users. If
everyone is punctual the formal part of the evening should take less than
an hour.
- After confirming that the key information on the key server matches the
printout that you have checked, sign the appropriate keys. Keys can only
be signed if they have two check-marks.
- Send the signed keys back to the keyservers.
- Use those keys as often as possible.
This key-signing party protocol was based heavily on the protocol
detailed in http://www.herrons.com/kb2nsx/keysign.html.
This key signing page was stolen blatantly from
John Sheehy's
page for the original Gainesville PGP party.
Why shouldn't I bring a computer?
There are a variety of reasons, why you don't want to do this. The short
answer is it would be insecure, unsafe, and of no benefit. For those not
convinced, here are some reasons why it is insecure, unsafe, and of no
benefit.
- If people are swapping disks with their keys on them the computer owner has to worry about viruses.
- If people are carrying their secret keys with them and intend to do
the signing at the actual meeting by typing their passphrase into a
computer, then they are open to key-logging attacks, shoulder-surfing, etc.
- It is much better to just exchange key details and verify ID and then do the signing when you get home to your own trusted computer.
- Someone might spill beer on it.
- Someone might drop it or knock it off the table.
- More reasons, I don't feel like articulating
Other questions about signing keys?
The questions and answers below all come from the PGP FAQ, which has a lot of
other good information, besides what is linked to below.
Other useful PGP links
A few more links for PGP newbies, or those who wish to reacquaint
themselves.
What if I still have a question?
Oh just show up and party anyway. Ask someone over a beer.