On 09/08/13 12:53, Fraser Tweedale wrote:

I wrote a key submission application that you might find useful. It's pretty spartan, but I've use it for keysigning parties at linux.conf.au and other conferences and it does the job.

https://github.com/frasertweedale/pgpsubmit

Looks neat. I'll look into it more closely if I have time (probably not before this months meet-up though).

Oh and I should also mention https://github.com/frasertweedale/gcaff which is a friendlier alternative to caff for signing multiple keys. Even has a GUI!

I attempted to open some of the Debian keyrings just to see what the GUI looked like, but it would always fail with an uncaught exception. Didn't spend too much time on it, but I like the idea.

On Fri, Aug 09, 2013 at 12:20:05PM +1000, Ben Finney wrote:

...

I think we will use some middle ground between the “Sassaman” URL:http://keysigning.org/methods/sassaman-efficient and “Ad hoc” URL:http://keysigning.org/methods/adhoc>. Specifically, I think the party will be small enough to use Ad hoc, but the central point of contact to co-ordinate the participating keys will be helpful.

I'm expecting a number of people will not have any GnuPG experience, so am intending to provide a small presentation on the subject. If people bring laptops, they might create decide to create keys on the spot. I know this isn't ideal, but I think it's important to prioritise helping people get started. As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway. Cheers, Adam

On Mon, Aug 12, 2013 at 10:02:42AM +1000, Ben Finney wrote:

Adam Bolte writes:

...

As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway.

It's also worth noting that a keysigning party has a misleading name: The purpose of the party is not to sign keys at the party :-)

Excellent point.

The actual signing of keys is usually done at one's leisure *after* the party.

That's true, although I'll be prepared to walk first timers through it (not that there's much to it anyway). So if anyone would like to send me their keys before Wednesday night, I can make the key list available at that time - either via a temporary URL which I'll post here, or (if anyone requests it) e-mailing people back directly.

On Thu, Aug 15, 2013 at 09:45:52AM +1000, Aníbal Monsalve Salazar wrote:

On Mon, Aug 12, 2013 at 10:36:25AM +1000, Adam Bolte wrote:

...

So if anyone would like to send me their keys before Wednesday night, I can make the key list available at that time - either via a temporary URL which I'll post here, or (if anyone requests it) e-mailing people back directly.

I haven't seen the temporary URL yet. Was the list sent via e-mail?

I meant, a temporary URL to share (which I would have done last night which was the deadline). Before leaving for work this morning, I had received a grand total of 1 fingerprints from interested people. I have since received one more, but doubt that it's worth having a list so small. Perhaps we might give that idea a miss this time around, and just go full 'Ad Hoc' - unless there are printers we can use at the venue. I did print my fingerprint slips last night though, and remembered to bring in some extra ID. -Adam

A brief follow-up on gcaff. I've tracked down the critical issue (many thanks Adam for the bug report) and released gcaff-0.2. This release also fixes some other bugs and does more sanity checking up front. To install: pip install gcaff or download the source (https://github.com/frasertweedale/gcaff) and run the setup script. On Tue, Aug 13, 2013 at 03:46:20PM +1000, Fraser Tweedale wrote:

Hi Adam,

On Mon, Aug 12, 2013 at 03:11:03AM +1000, Adam Bolte wrote:

...

On 09/08/13 12:53, Fraser Tweedale wrote:

...

I wrote a key submission application that you might find useful. It's pretty spartan, but I've use it for keysigning parties at linux.conf.au and other conferences and it does the job.

https://github.com/frasertweedale/pgpsubmit

Looks neat. I'll look into it more closely if I have time (probably not before this months meet-up though).

...

Oh and I should also mention https://github.com/frasertweedale/gcaff which is a friendlier alternative to caff for signing multiple keys. Even has a GUI!

I attempted to open some of the Debian keyrings just to see what the GUI looked like, but it would always fail with an uncaught exception. Didn't spend too much time on it, but I like the idea.

If you could send the traceback and [links to] the keyring(s) you tried to open I'll take a look at it.

Cheers,

Fraser

...

...

On Fri, Aug 09, 2013 at 12:20:05PM +1000, Ben Finney wrote:

...

I think we will use some middle ground between the “Sassaman” URL:http://keysigning.org/methods/sassaman-efficient and “Ad hoc” URL:http://keysigning.org/methods/adhoc>. Specifically, I think the party will be small enough to use Ad hoc, but the central point of contact to co-ordinate the participating keys will be helpful.

I'm expecting a number of people will not have any GnuPG experience, so am intending to provide a small presentation on the subject. If people bring laptops, they might create decide to create keys on the spot. I know this isn't ideal, but I think it's important to prioritise helping people get started.

As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway.

Cheers, Adam

...

_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-m...

Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/

_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-m...

Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/

On 16 August 2013 17:17, Ben Finney wrote:

* Examine the key's fingerprint and verify it against the fingerprint the person gave you. [...] A tool like ‘caff’ (installed in the package ‘signing-party’ in Debian) can step through all this for a specified set of key IDs.

I'm a bit confused by all this. Caff doesn't seem to give me the option to save a signed key to be sent manually, and I don't have my system set up to send email. I tried using straight gpg, and it seems to have worked - but now should I just send the output of `gpg --armor --export ID` to the owner of ID? Do I need to do that for subkeys separately? And what do I do with that data if someone sends it to me? Keyservers would seem to make this all a lot easier. It's a shame it's a faux pas to publish on behalf of someone else! If anyone wants to sign and publish my key using `gpg --send-key`, please feel free :) Alex

On 17/08/13 08:45, Alex Fraser wrote:

I'm a bit confused by all this. Caff doesn't seem to give me the option to save a signed key to be sent manually,

Caff saves the signed keys in .caff/keys/[date]/, even if the mailing step fails. It doesn't add the signatures to your own gnupg database, because the email address is not proven until the key owner publishes the signature. Glenn -- sks-keyservers.net 0x6d656d65

Brian May writes:

As an example, I got errors trying to send to one of the email addresses, used by two uids on the key, I received on the night:

: host vep-1.mx15.luxsci.com[66.135.55.11] said: 550 5.7.1 ... Relaying denied (in reply to RCPT TO command)

Is this email address still current?

It is, and I was not aware of that problem. Thanks for bringing it to my attention. -- \ “In the long run, the utility of all non-Free software | `\ approaches zero. All non-Free software is a dead end.” —Mark | _o__) Pilgrim, 2006 | Ben Finney