Actions

Keysigning: Difference between revisions

From HacDC Wiki

No edit summary
No edit summary
Line 25: Line 25:


* But before anyone signs anyone elses key they have to make sure that person actually owns that key (checking physical ID).
* But before anyone signs anyone elses key they have to make sure that person actually owns that key (checking physical ID).
** Minimum recommendation is state photo ID + secondary photo ID (school, employer)
* You can see who has signed someone's public key. If their key has been signed by someone in your web of trust, then that person is in your web of trust as well.
** gpg --list-sigs D34DB33f
* Don't forget to generate a revokation certificate for your public key in case you lose your passphrase or your key is compromised!
** gpg --gen-revoke


* Now people can see that you believe that key to be valid, which improves the chances of it being a valid key! (web of trust)
* Now you're all set, but you also want to...
** Generate a revokation certificate in case you lose your passphrase or your key is comprimised!


== DETAILS ==
== DETAILS ==
 
* Obscurite generally uses the pgp.mit.edu keyserver, but keyserver.ubuntu.com is well liked and they do sync regularly, so it doesn't especially matter which one you use, except that pgp.mit.edu has a nice web search interface.
* For the keysigning party on Thurs 9/10 we will use the pgp.mit.edu keyserver
* PGP KEYSERVER EXAMPLE: gpg --keyserver pgp.mit.edu --send-key KEYIDHERE
* I will pass around copies of signatures so you can check people off as you confirm their identity
* I will pass around copies of signatures so you can check people off as you confirm their identity
* I recommend using a valid state photo ID as a minimum validation. It is up to your personal "keysigning policy."
* I recommend using a valid state photo ID as a minimum validation. It is up to your personal "keysigning policy."

Revision as of 20:32, 11 October 2009

This page is a resource for keysigning parties.

Intro

  • You have a private key and a public key, which you generate (your keypair).
    • gpg --gen-key
  • People use your public key to send you encrypted messages that only you can open via the magic of crypto!
  • You decrypt these messages with your private key, which only you have access to.
    • gpg --output doc --decrypt doc.gpg
  • But first, you must share your public key, either directly or by uploading it to a keyserver.
    • gpg --keyserver pgp.mit.edu --send-keys D34DB33F
  • If it's on a keyserver, they must download it from the keyserver.
    • gpg --keyserver pgp.mit.edu --recv-key D34DB33F
  • If it was a file (called obscurite.gpg for example), they can import it manually.
    • gpg --import obscurite.gpg
  • Now they can sign the key and send the key back to the keyserver.
    • gpg --sign-key D34DB33F
  • But before anyone signs anyone elses key they have to make sure that person actually owns that key (checking physical ID).
    • Minimum recommendation is state photo ID + secondary photo ID (school, employer)
  • You can see who has signed someone's public key. If their key has been signed by someone in your web of trust, then that person is in your web of trust as well.
    • gpg --list-sigs D34DB33f
  • Don't forget to generate a revokation certificate for your public key in case you lose your passphrase or your key is compromised!
    • gpg --gen-revoke


DETAILS

  • Obscurite generally uses the pgp.mit.edu keyserver, but keyserver.ubuntu.com is well liked and they do sync regularly, so it doesn't especially matter which one you use, except that pgp.mit.edu has a nice web search interface.
  • I will pass around copies of signatures so you can check people off as you confirm their identity
  • I recommend using a valid state photo ID as a minimum validation. It is up to your personal "keysigning policy."

Links