Keysigning Party @ Linuxtag 2004

At the LinuxTag 2004 in Karlsruhe there will be an OpenPGP (pgp/gpg) keysigning party.

The party will be on Saturday, June 26th, at 14:00.

What is/Why keysigning?

Please read section One of the GnuPG Keysigning Party HOWTO (note: we are doing the party slightly different, so the other chapters do not 100% apply).

How

The Party will be conducted using Len Sassaman's Efficient Group Key Signing Method:

If you intent to participate please send your ascii armored public key to ksp-lt2k4@palfrader.org by Saturday, June 19th, 2004

Preferably do not sign or encrypt your email, attach the keys as a file, and name that file like your email address (multiple keys per file/armor are just fine).
This deadline has now passed. If you haven't submitted your key yet, it's too late. If you still want to participate, please follow the points listed below, like everybody else (i.e. grab the file, check the checksum and bring the printout with you). This is so that you can sign other people's keys.
In addition print your key information on small paperslips and bring enough for everyone (say 150 or so).
By Monday, June 21st, you will be able to fetch both the complete keyring with all the keys that were submitted along with a text file (ksp-lt2k4.txt) giving the fingerprint of each key on the ring.
At home, verify that the fingerprint of your key in ksp-lt2k4.txt is correct. Also compute the MD5 hash of ksp-lt2k4.txt. One way to do this is with md5sum invoked as follows:

% md5sum ksp-lt2k4.txt
or
gpg --print-md md5 ksp-lt2k4.txt

Just to be sure that you have no problems with the download, here is the MD5 hash as we have calculated it:
MD5 = 90 43 B8 1B 97 89 F3 .. .. .. .. .. .. .. .. ..
Note that this is just a hint - you must do the check yourself.
We will also read the SHA1 hash, so you can calulate that too (sha1sum or gpg --print-md sha1).
At the LinuxTag, come with the hash you computed and a hardcopy of ksp-lt2k4.txt.
A reader at the front of the room will recite the MD5 hash of ksp-lt2k4.txt. Verify that the hash recited matches what you computed. This guarantees that all participants are working from the same list of keys.
In turn, each participant will stand and acknowledge that the fingerprint of his or her key listed is correct. Mark the key verified on your hardcopy. Since we already ensured that everybody has the same copy a simple statement like "yes, this information is correct" is sufficient.
The next step is to verify each participant's identity by checking her passport or similar form of ID.
Later that evening, or perhaps when you get home, you can sign the keys which you were able to verify hardcopy. After you signed a key send it to its owner together with your signature.

Downloads:

Summary: What to bring with you

A printout of ksp-lt2k4.txt; check that your fingerprint is correct.
The MD5 Hash you made of ksp-lt2k4.txt so that we can ensure we are all working with the same copy.
Some form of government issued ID (passport or similar).

If you have questions please ask Peter Palfrader <peter@palfrader.org>.

Relevant Information and Sources for More Information

Stats

Robert Schiele <rschiele@uni-mannheim.de> is doing some fancy stats on http://pi3.informatik.uni-mannheim.de/~schiele/keysign.linuxtag/.

Keyservers

The only keyserver rotation you should use is subkeys.pgp.net, or random.sks.keyserver.penguin.de if you insist. Any of the servers in this rotations is fine.

Please, please, pretty please with a cherry on top, do not use other rotations, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in varios ways, including but not limited to dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating keyids wrong (for v4 RSA keys), rejecting keys with attribute uids (such as photo ids), or don't sync with the rest of the network.

Please use subkeys.pgp.net.

Utilities

Uli Martens wrote a small perl script that, given ksp-lt2k4.txt and ksp-lt2k4.asc tells you which keys (uids) you already signed.

It takes ksp-lt2k4.txt and adds a comment in front of each line, like this:

153  [ ] Fingerprint OK        [ ] ID OK
(S)  pub  1024D/52698E9F 2001-11-07 Uli Martens <uli@youam.net>
     Key fingerprint = A48F 8894 37A0 FDE9 60D5  212A 2A58 CEAA 5269 8E9F
(S)  uid     Uli Martens <isax@gmx.de>
( )  uid     Uli Martens <u.martens@youam.com>
(S)  uid     Uli Martens <u.martens@scientific.de>




The S indicates that I already signed a user id.


Download it: gpgsigs.


It requires perl, gnupg (>=1.2.x) and either Locale::Recode (in Debian
Package libintl-perl, in testing and unstable) or recode (Debian Package
recode).

A word on GnuPG versions


GnuPG 1.0.*, as shipped with Debian stable has serious problems.  Please consider
upgrading to 1.2.*.  It's a lot faster too, which you will apprechiate I guess.

There is a newer GnuPG package at backports.org:

deb http://www.backports.org/debian/ woody gnupg




Last modified: Tuesday, 22-Jun-2004 12:58:39 CEST

Peter Palfrader <peter@palfrader.org>