Actions

Keysigning: Difference between revisions

From HacDC Wiki

No edit summary
No edit summary
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This page is a resource for keysigning parties.
This page is a resource for keysigning parties @ HacDC.


== Intro ==
== Upcoming Parties ==
 
Friday, November 13th @ 7:30PM
 
== Past Parties ==
 
September 10th, 2009
* We had about 20 folks and about 10 of whom were productively keysigning.
 
 
== Intro to KeySigning ==


* You have a private key and a public key, which you generate (your keypair).
* You have a private key and a public key, which you generate (your keypair).
** gpg --gen-key
* People use your public key to send you encrypted messages that only you can open via the magic of crypto!
* People use your public key to send you encrypted messages that only you can open via the magic of crypto!
** gpg --output doc.gpg --encrypt --recipient [email protected] doc
* You decrypt these messages with your private key, which only you have access to.
* You decrypt these messages with your private key, which only you have access to.
** gpg --output doc --decrypt doc.gpg
* But first, you must share your public key, either directly or by uploading it to a keyserver.
* But first, you must share your public key, either directly or by uploading it to a keyserver.
** gpg --keyserver pgp.mit.edu --send-keys D34DB33F
* If it's on a keyserver, they must download it from the keyserver.
* If it's on a keyserver, they must download it from the keyserver.
* If it was a file, they can import it manually.
** gpg --keyserver pgp.mit.edu --recv-key D34DB33F
 
* If it was a file (called obscurite.gpg for example), they can import it manually.
** gpg --import obscurite.gpg
 
* Now they can sign the key and send the key back to the keyserver.
* Now they can sign the key and send the key back to the keyserver.
** gpg --sign-key D34DB33F
* But before anyone signs anyone elses key they have to make sure that person actually owns that key (checking physical ID).
* But before anyone signs anyone elses key they have to make sure that person actually owns that key (checking physical ID).
* Now people can see that you believe that key to be valid, which improves the chances of it being a valid key! (web of trust)
** Minimum recommendation is state photo ID + secondary photo ID (school, employer)
* Now you're all set, but you also want to...
 
** Generate a revokation certificate in case you lose your passphrase or your key is comprimised!
* You can see who has signed someone's public key. If their key has been signed by someone in your web of trust, then that person is in your web of trust as well.
** gpg --list-sigs D34DB33f
 
* Don't forget to generate a revokation certificate for your public key in case you lose your passphrase or your key is compromised!
** gpg --gen-revoke
 


== DETAILS ==
== DETAILS ==
 
* Obscurite generally uses the pgp.mit.edu keyserver, but keyserver.ubuntu.com is well liked and they do sync regularly, so it doesn't especially matter which one you use, except that pgp.mit.edu has a nice web search interface.
* For the keysigning party on Thurs 9/10 we will use the pgp.mit.edu keyserver
* I will pass around copies of signatures so you can check people off as you confirm their identity
* I will pass around copies of signatures so you can check people off as you confirm their identity
* I recommend using a valid state photo ID as a minimum validation. It is up to your personal "keysigning policy."
* I recommend using a valid state photo ID as a minimum validation. It is up to your personal "keysigning policy."
Line 25: Line 53:
* [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#overview Keysigning HOWTO]
* [http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#overview Keysigning HOWTO]
* [http://cryptnet.net/fdp/crypto/keysigning_party/en/extra/party-table.pl Perl script to generate keyring list]
* [http://cryptnet.net/fdp/crypto/keysigning_party/en/extra/party-table.pl Perl script to generate keyring list]
* [http://www.gnupg.org/download/integrity_check.en.html Checking the integrity of the installer, even without GPG already installed]
[[Category:Previous_Projects]]

Latest revision as of 04:12, 4 April 2012

This page is a resource for keysigning parties @ HacDC.

Upcoming Parties

Friday, November 13th @ 7:30PM

Past Parties

September 10th, 2009

  • We had about 20 folks and about 10 of whom were productively keysigning.


Intro to KeySigning

  • You have a private key and a public key, which you generate (your keypair).
    • gpg --gen-key
  • People use your public key to send you encrypted messages that only you can open via the magic of crypto!
  • You decrypt these messages with your private key, which only you have access to.
    • gpg --output doc --decrypt doc.gpg
  • But first, you must share your public key, either directly or by uploading it to a keyserver.
    • gpg --keyserver pgp.mit.edu --send-keys D34DB33F
  • If it's on a keyserver, they must download it from the keyserver.
    • gpg --keyserver pgp.mit.edu --recv-key D34DB33F
  • If it was a file (called obscurite.gpg for example), they can import it manually.
    • gpg --import obscurite.gpg
  • Now they can sign the key and send the key back to the keyserver.
    • gpg --sign-key D34DB33F
  • But before anyone signs anyone elses key they have to make sure that person actually owns that key (checking physical ID).
    • Minimum recommendation is state photo ID + secondary photo ID (school, employer)
  • You can see who has signed someone's public key. If their key has been signed by someone in your web of trust, then that person is in your web of trust as well.
    • gpg --list-sigs D34DB33f
  • Don't forget to generate a revokation certificate for your public key in case you lose your passphrase or your key is compromised!
    • gpg --gen-revoke


DETAILS

  • Obscurite generally uses the pgp.mit.edu keyserver, but keyserver.ubuntu.com is well liked and they do sync regularly, so it doesn't especially matter which one you use, except that pgp.mit.edu has a nice web search interface.
  • I will pass around copies of signatures so you can check people off as you confirm their identity
  • I recommend using a valid state photo ID as a minimum validation. It is up to your personal "keysigning policy."

Links