Howdy all, We have been discussing the idea of regular GPG keysigning parties for our group. A keysigning party is an opportunity to efficiently use a gathering of people to perform the necessary steps in verifying the identity of GPG key holders <URL:https://en.wikipedia.org/wiki/Key_signing_party>. There is a good site <URL:http://keysigning.org/> which is a repository of information on what a keysigning party is and, importantly, what people need to know in order to prepare and participate. I think we will use some middle ground between the “Sassaman” <URL:http://keysigning.org/methods/sassaman-efficient> and “Ad hoc” <URL:http://keysigning.org/methods/adhoc>>. Specifically, I think the party will be small enough to use Ad hoc, but the central point of contact to co-ordinate the participating keys will be helpful. Adam Bolte has offered to give more information and co-ordinate, but I'm happy to answer questions here too. -- \ “By instructing students how to learn, unlearn, and relearn, a | `\ powerful new dimension can be added to education.” —Alvin | _o__) Toffler, _Future Shock_, 1970 | Ben Finney
I wrote a key submission application that you might find useful. It's pretty spartan, but I've use it for keysigning parties at linux.conf.au and other conferences and it does the job. https://github.com/frasertweedale/pgpsubmit Questions and feedback are welcome if you decide to give it a go. Oh and I should also mention https://github.com/frasertweedale/gcaff which is a friendlier alternative to caff for signing multiple keys. Even has a GUI! Cheers, Fraser On Fri, Aug 09, 2013 at 12:20:05PM +1000, Ben Finney wrote:
Howdy all,
We have been discussing the idea of regular GPG keysigning parties for our group.
A keysigning party is an opportunity to efficiently use a gathering of people to perform the necessary steps in verifying the identity of GPG key holders <URL:https://en.wikipedia.org/wiki/Key_signing_party>.
There is a good site <URL:http://keysigning.org/> which is a repository of information on what a keysigning party is and, importantly, what people need to know in order to prepare and participate.
I think we will use some middle ground between the “Sassaman” <URL:http://keysigning.org/methods/sassaman-efficient> and “Ad hoc” <URL:http://keysigning.org/methods/adhoc>>. Specifically, I think the party will be small enough to use Ad hoc, but the central point of contact to co-ordinate the participating keys will be helpful.
Adam Bolte has offered to give more information and co-ordinate, but I'm happy to answer questions here too.
-- \ “By instructing students how to learn, unlearn, and relearn, a | `\ powerful new dimension can be added to education.” —Alvin | _o__) Toffler, _Future Shock_, 1970 | Ben Finney
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-m...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
On 09/08/13 12:53, Fraser Tweedale wrote:
I wrote a key submission application that you might find useful. It's pretty spartan, but I've use it for keysigning parties at linux.conf.au and other conferences and it does the job.
Looks neat. I'll look into it more closely if I have time (probably not before this months meet-up though).
Oh and I should also mention https://github.com/frasertweedale/gcaff which is a friendlier alternative to caff for signing multiple keys. Even has a GUI!
I attempted to open some of the Debian keyrings just to see what the GUI looked like, but it would always fail with an uncaught exception. Didn't spend too much time on it, but I like the idea.
On Fri, Aug 09, 2013 at 12:20:05PM +1000, Ben Finney wrote:
I think we will use some middle ground between the “Sassaman” <URL:http://keysigning.org/methods/sassaman-efficient> and “Ad hoc” <URL:http://keysigning.org/methods/adhoc>>. Specifically, I think the party will be small enough to use Ad hoc, but the central point of contact to co-ordinate the participating keys will be helpful.
I'm expecting a number of people will not have any GnuPG experience, so am intending to provide a small presentation on the subject. If people bring laptops, they might create decide to create keys on the spot. I know this isn't ideal, but I think it's important to prioritise helping people get started. As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway. Cheers, Adam
Adam Bolte <abolte@systemsaviour.com> writes:
As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway.
It's also worth noting that a keysigning party has a misleading name: The purpose of the party is not to sign keys at the party :-) Rather, the purpose of the keysigning party is to organise everyone to perfom all the necessary prior steps to key signing. Some (create one's own keypair, send the public key to a network or central coordinator, print out copies of fingerprints) are done before the party where feasible, and some (meet the person, verify photo ID, check their fingerprint with them) need person-to-person interaction so are done at the party. The actual signing of keys is usually done at one's leisure *after* the party. -- \ “Guaranteed to work throughout its useful life.” —packaging for | `\ clockwork toy, Hong Kong | _o__) | Ben Finney
On Mon, Aug 12, 2013 at 10:02:42AM +1000, Ben Finney wrote:
Adam Bolte <abolte@systemsaviour.com> writes:
As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway.
It's also worth noting that a keysigning party has a misleading name: The purpose of the party is not to sign keys at the party :-)
Excellent point.
The actual signing of keys is usually done at one's leisure *after* the party.
That's true, although I'll be prepared to walk first timers through it (not that there's much to it anyway). So if anyone would like to send me their keys before Wednesday night, I can make the key list available at that time - either via a temporary URL which I'll post here, or (if anyone requests it) e-mailing people back directly.
On Mon, Aug 12, 2013 at 10:36:25AM +1000, Adam Bolte wrote:
So if anyone would like to send me their keys before Wednesday night, I can make the key list available at that time - either via a temporary URL which I'll post here, or (if anyone requests it) e-mailing people back directly.
I haven't seen the temporary URL yet. Was the list sent via e-mail?
On Thu, Aug 15, 2013 at 09:45:52AM +1000, Aníbal Monsalve Salazar wrote:
On Mon, Aug 12, 2013 at 10:36:25AM +1000, Adam Bolte wrote:
So if anyone would like to send me their keys before Wednesday night, I can make the key list available at that time - either via a temporary URL which I'll post here, or (if anyone requests it) e-mailing people back directly.
I haven't seen the temporary URL yet. Was the list sent via e-mail?
I meant, a temporary URL to share (which I would have done last night which was the deadline). Before leaving for work this morning, I had received a grand total of 1 fingerprints from interested people. I have since received one more, but doubt that it's worth having a list so small. Perhaps we might give that idea a miss this time around, and just go full 'Ad Hoc' - unless there are printers we can use at the venue. I did print my fingerprint slips last night though, and remembered to bring in some extra ID. -Adam
Hi Adam, On Mon, Aug 12, 2013 at 03:11:03AM +1000, Adam Bolte wrote:
On 09/08/13 12:53, Fraser Tweedale wrote:
I wrote a key submission application that you might find useful. It's pretty spartan, but I've use it for keysigning parties at linux.conf.au and other conferences and it does the job.
Looks neat. I'll look into it more closely if I have time (probably not before this months meet-up though).
Oh and I should also mention https://github.com/frasertweedale/gcaff which is a friendlier alternative to caff for signing multiple keys. Even has a GUI!
I attempted to open some of the Debian keyrings just to see what the GUI looked like, but it would always fail with an uncaught exception. Didn't spend too much time on it, but I like the idea.
If you could send the traceback and [links to] the keyring(s) you tried to open I'll take a look at it. Cheers, Fraser
On Fri, Aug 09, 2013 at 12:20:05PM +1000, Ben Finney wrote:
I think we will use some middle ground between the “Sassaman” <URL:http://keysigning.org/methods/sassaman-efficient> and “Ad hoc” <URL:http://keysigning.org/methods/adhoc>>. Specifically, I think the party will be small enough to use Ad hoc, but the central point of contact to co-ordinate the participating keys will be helpful.
I'm expecting a number of people will not have any GnuPG experience, so am intending to provide a small presentation on the subject. If people bring laptops, they might create decide to create keys on the spot. I know this isn't ideal, but I think it's important to prioritise helping people get started.
As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway.
Cheers, Adam
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-m...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
A brief follow-up on gcaff. I've tracked down the critical issue (many thanks Adam for the bug report) and released gcaff-0.2. This release also fixes some other bugs and does more sanity checking up front. To install: pip install gcaff or download the source (https://github.com/frasertweedale/gcaff) and run the setup script. On Tue, Aug 13, 2013 at 03:46:20PM +1000, Fraser Tweedale wrote:
Hi Adam,
On Mon, Aug 12, 2013 at 03:11:03AM +1000, Adam Bolte wrote:
On 09/08/13 12:53, Fraser Tweedale wrote:
I wrote a key submission application that you might find useful. It's pretty spartan, but I've use it for keysigning parties at linux.conf.au and other conferences and it does the job.
Looks neat. I'll look into it more closely if I have time (probably not before this months meet-up though).
Oh and I should also mention https://github.com/frasertweedale/gcaff which is a friendlier alternative to caff for signing multiple keys. Even has a GUI!
I attempted to open some of the Debian keyrings just to see what the GUI looked like, but it would always fail with an uncaught exception. Didn't spend too much time on it, but I like the idea.
If you could send the traceback and [links to] the keyring(s) you tried to open I'll take a look at it.
Cheers,
Fraser
On Fri, Aug 09, 2013 at 12:20:05PM +1000, Ben Finney wrote:
I think we will use some middle ground between the “Sassaman” <URL:http://keysigning.org/methods/sassaman-efficient> and “Ad hoc” <URL:http://keysigning.org/methods/adhoc>>. Specifically, I think the party will be small enough to use Ad hoc, but the central point of contact to co-ordinate the participating keys will be helpful.
I'm expecting a number of people will not have any GnuPG experience, so am intending to provide a small presentation on the subject. If people bring laptops, they might create decide to create keys on the spot. I know this isn't ideal, but I think it's important to prioritise helping people get started.
As the meet-up is only a few days away, it's probably not reasonable to expect everyone will have time to send me keys prior to the event. Happy to do this if people want, but I agree with your assessment that leaning towards ad hoc might be the way to go. Depending on how we go for time, how many people turn up (and interest levels), I'd even be happy to continue keysigning while waiting on dinner - if there are no objections, anyway.
Cheers, Adam
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-m...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-m...
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
Ben Finney <ben+freesoftware@benfinney.id.au> writes:
We have been discussing the idea of regular GPG keysigning parties for our group.
Thanks to everyone who participated in our first formal keysigning party at the meeting last night (2013-08-15)! You're now in possession of some number of key IDs and fingerprints, and some or all of those belong to people whose identity you have verified to your satisfaction. The URL given earlier <URL:http://keysigning.org/methods/adhoc> has information on what to do next, in order to make good on your efforts at the party. In brief: * Download, from the public keyserver network, a public key whose fingerprint you received. * Examine the key's fingerprint and verify it against the fingerprint the person gave you. * Examine the key's UIDs and verify them against the UIDs (pairs of name and email address) given to you by the person. * If you're satisfied that you've verified the person's identity and the details of their key against what you learned at the party, sign their public key with yours. (If not, no hard feelings! Try to get more information from them next time.) * Send the signed public key to the person, and/or (my recommendation) to the public keyserver network. Notify the person you've done this. A tool like ‘caff’ (installed in the package ‘signing-party’ in Debian) can step through all this for a specified set of key IDs. Lastly: * Wait to receive these notifications from other participants, and import the signed copies of your key to your keyring. * Bask in the knowledge that your public key will have an improved trail of verification worldwide :-) Please let us know how you think the key signing party went, and what we could do to improve future ones. -- \ “Even if the voices in my head are not real, they have pretty | `\ good ideas.” —anonymous | _o__) | Ben Finney
On 16 August 2013 17:17, Ben Finney <ben+freesoftware@benfinney.id.au> wrote:
* Examine the key's fingerprint and verify it against the fingerprint the person gave you. [...] A tool like ‘caff’ (installed in the package ‘signing-party’ in Debian) can step through all this for a specified set of key IDs.
I'm a bit confused by all this. Caff doesn't seem to give me the option to save a signed key to be sent manually, and I don't have my system set up to send email. I tried using straight gpg, and it seems to have worked - but now should I just send the output of `gpg --armor --export ID` to the owner of ID? Do I need to do that for subkeys separately? And what do I do with that data if someone sends it to me? Keyservers would seem to make this all a lot easier. It's a shame it's a faux pas to publish on behalf of someone else! If anyone wants to sign and publish my key using `gpg --send-key`, please feel free :) Alex
Alex Fraser <alex@phatcore.com> writes:
I'm a bit confused by all this.
If it helps (anyone reading this), the GnuPG documentation has a more detailed HOWTO for keysigning parties <URL:http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html>.
Caff doesn't seem to give me the option to save a signed key to be sent manually, and I don't have my system set up to send email.
Yes, ‘caff’ is good for automating the steps, but that means your system needs to be able to send email. I recommend you set up a simple MTA on every system you use, since many services (especially in free software) operate at least in part by email, and tools can make your life easier by automating this.
I tried using straight gpg, and it seems to have worked - but now should I just send the output of `gpg --armor --export ID` to the owner of ID? Do I need to do that for subkeys separately? And what do I do with that data if someone sends it to me?
You can alternatively use a tool like GNOME 3's “Passwords and Keys”, also known as ‘seahorse’ <URL:https://wiki.gnome.org/Seahorse>. It is a GNOME front-end for GnuPG and some other encryption systems, integrated with the GNOME environment to manage keys. Using an interactive tool like “Passwords and Keys” means you need to do the steps individually, but it does make it clear what's going on at each point and doesn't require getting the command-line invocations right. -- \ “I call him Governor Bush because that's the only political | `\ office he's ever held legally.” —George Carlin, 2008 | _o__) | Ben Finney
On 17/08/13 08:45, Alex Fraser wrote:
I'm a bit confused by all this. Caff doesn't seem to give me the option to save a signed key to be sent manually,
Caff saves the signed keys in .caff/keys/[date]/, even if the mailing step fails. It doesn't add the signatures to your own gnupg database, because the email address is not proven until the key owner publishes the signature. Glenn -- sks-keyservers.net 0x6d656d65
On 17 August 2013 13:46, Glenn McIntosh <neonsignal@meme.net.au> wrote:
On 17/08/13 08:45, Alex Fraser wrote:
I'm a bit confused by all this. Caff doesn't seem to give me the option to save a signed key to be sent manually,
Caff saves the signed keys in .caff/keys/[date]/, even if the mailing step fails. It doesn't add the signatures to your own gnupg database, because the email address is not proven until the key owner publishes the signature.
It appears caff does the right thing. As an example, I got errors trying to send to one of the email addresses, used by two uids on the key, I received on the night: <bignose@whitetree.org>: host vep-1.mx15.luxsci.com[66.135.55.11] said: 550 5.7.1 <bignose@whitetree.org>... Relaying denied (in reply to RCPT TO command) Is this email address still current? -- Brian May <brian@microcomaustralia.com.au>
Brian May <brian@microcomaustralia.com.au> writes:
As an example, I got errors trying to send to one of the email addresses, used by two uids on the key, I received on the night:
<bignose@whitetree.org>: host vep-1.mx15.luxsci.com[66.135.55.11] said: 550 5.7.1 <bignose@whitetree.org>... Relaying denied (in reply to RCPT TO command)
Is this email address still current?
It is, and I was not aware of that problem. Thanks for bringing it to my attention. -- \ “In the long run, the utility of all non-Free software | `\ approaches zero. All non-Free software is a dead end.” —Mark | _o__) Pilgrim, 2006 | Ben Finney
participants (7)
-
Adam Bolte -
Alex Fraser -
Aníbal Monsalve Salazar -
Ben Finney -
Brian May -
Fraser Tweedale -
Glenn McIntosh