[Hampshire] GPG keysigning session at the meeting

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\M 
MMjohn lewis at ->
Author: Hugo Mills
Date:  
To: Hants LUG
Subject: [Hampshire] GPG keysigning session at the meeting

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x56c62100.hantslug.org.uk.8215': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Wed Oct 3 13:25:57 2007 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
I've asked Adrian to schedule in a "talk" slot for a keysigning
session at the meeting on Saturday.

To make things easy, you should bring along some slips of paper
with your GPG key fingerprint on. You can generate the fingerprint
information with:

$ gpg --fingerprint EA2B228F

(with the appropriate key ID, of course -- that's one of mine). If you
don't have a key, skip to the end of this email for instructions on
how to generate one.

Copy the output from this several times into your favourite text
editor, print out, and cut into strips. Also bring along your
passport and a pen.

On the day
==========

A1. Give someone your key fingerprint.

A2. Show them your passport.

A3. Wait until they've stopped laughing at your photo.

A4. They should verify that the passport is yours, using the handy
biometric data (the photo).

A5. They should verify that the identity stated on the key matches the
printed passport details.

A6. They should mark or sign the slip on some way to indicate to
themselves that they've verified this.

There are faster ways of doing this for large groups, but I doubt
we'll have a problem with it if everyone simply does this in pairs at
random.

When you get home
=================

When you get home, the procedure for each slip you have marked goes
like this:

B1. Download the key into your local keyring:

$ gpg --recv-keys EA2B228F

B2. Generate some random data and keep it somewhere secure:

$ dd if=/dev/urandom bs=48 count=1 | hd >person-name.data

By "secure", I mean kept somewhere where nobody else can read it.
A USB stick would do (provided you know where it is, and don't lose
it). Or encrypt the file so only you can read it.

B3. Send a mail to each of the mail IDs in their key that you want to
sign, containing that data, and encrypted for reading by their key.
This will vary depending on the email client that you use.

B4. They should reply to each of those emails, encrypted to you,
containing the random data that you sent them.

B5. For each of those mails, you should verify that the data returned
is the same as the data you sent them.

B6. Edit their key and sign the UIDs and email addresses that you've
just validated:

$ gpg --edit-key EA2B228F
Command> uid 1
Command> uid 2
[repeat this for each UID you want to sign]
Command> sign
Command> save

B7. Check that you've signed the right things:

$ gpg --list-sigs EA2B228F

B8. Upload the newly signed key to a keyserver:

$ gpg --send-keys EA2B228F

All done.

If you don't have a key
=======================

You should do this before you get to the meeting, if you haven't
already done so.

C1. You can start the process of generating a key with:

$ gpg --gen-key

C2. Select the key type. The default (DSA and ElGamal) is probably
what you should go for. This will allow you both to sign things (DSA)
and to encrypt things (ElGamal).

C3. Choose a key size. Larger keys are harder to crack, but take a
little longer to generate and to encrypt things. 2048 bits is probably
currently reasonable for most purposes, unless there are major
governments you want to hide things from (in which case, they'll
probably just catch you and hit you with rubber hoses until you tell
them what they want to know). I use 4096-bit keys.

C4. Choose an expiry date. For my work key, I've used the end date of
my current project (plus a bit).

C5. Supply your real name. This will be what people check against your
passport. The instructions are a little confusing here -- just give
your name for the first prompt.

C6. Supply your email address (if you want this key to have more than
one, you can do that later).

C7. Add a comment, if you wish. On my keys, I use the comment field to
indicate which identity is the "preferred" mail address.

C8. Accept the identity details (or reject them and go back to enter
them again).

C9. Enter your passphrase. This should be non-dictionary, contain
letters, numbers and preferably punctuation, and long (20+ characters,
preferably). This is the passphrase that protects your private key, so
don't forget it. If you forget it, you've lost access to your key, and
will have to do this all over again.

C10. If you want to add other identities (alternative names, other
email addresses), edit your key with:

$ gpg --edit-key EA2B228F
Command> adduid
[add your name, email address, and comment as in steps C5-C8]
Command> save

C11. Upload your public key to a keyserver for others to access:

gpg --send-keys EA2B228F

Hugo. 

-- 
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
  PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
                   --- Ceci n'est pas une pipe:  | ---

This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] '$100 laptop' to sell to publicRe: [Hampshire] '$100 laptop' to sell to public->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)