FOSDEM 2009 PGP KeySigning Party

THIS PAGE IS LARGELY OBSOLETE. See the keysigning announcement on the fosdem.org website for the 2010 KSP, and ksp.fosdem.org for more fresh info.

This page gives instructions for those who'd like to join the FOSDEM 2009 PGP KeySigning Party.

Table of Contents

• news.
• what and why. What this is all about.
• joining us.
• see also here for more information.
• thanks go out to...
• list of submitted PGP keys: Who is "us"?

News

2010-01-10: Philip Paeps will be in charge of the FOSDEM 2010 KSP. He's using his own keyserver software (local copy).

2009-01-31: Published detached signature, added instructions for dealing with the list of participants.

2009-01-29: Published final list of participants.

2009-01-29: A few first beta-releases of pgp-kspkeyserver, the software used for this keyserver.

2009-01-09: Thanks to Morten Gulbrandsen, the FOSDEM 2009 PGP KSP is now listed on biglumber.com.

2009-01-08: Collected some statistics to predict number of keys which will get submitted. Previous KSP's at Fosdem:

 2006  79
 2007 108
 2008 202
 2009 400 (!?)

At 01-08 07:00 we had 50 keys submitted, with about 10 new submissions coming in every day. You can place your bets now ;-)

2009-01-07: Have sent a list of currently submitted keys to the FOSDEM visitors list.

What and why

A PGP Keysigning Party is a meeting where people exchange "PGP key fingerprints" in a secure way. These meetings are quite often fun too. Exchanging key fingerprints enables one to strengthen the "web of trust". A stronger web of trust makes more secure communication using the internet possible. For instance, the content of your emails cannot be read by others. Even if your key has already been signed by others, it's useful to attend such a party: the more people have signed your key, the more trustworthy your key can be to others.

How to join

If you'd like to join, you need to have a personal PGP key, and you need to attend the FOSDEM conference in Brussels, on sunday 2009-02-08.

Stuff you should have done

You should have submitted your PGP key. If you did, your key is on the list.

Stuff to do now: early february

Since thursday 2009-01-29 ksp-fosdem2009.txt is published. Before 2009-02-08, you'll have to:

• Download this file:

  curl -O http://ksp.mdcc.cx/files/ksp-fosdem2009.txt

• (Optionally, if there is a trustpath between your PGP key and the author's ones: use the detached signature to verify the integrity of the file:

  curl -O http://ksp.mdcc.cx/files/ksp-fosdem2009.txt.asc
  gpg --verify ksp-fosdem2009.txt.asc
  

  )
• Verify that your key fingerprint as shown on the list is correct.
• Calculate the checksums of the unmodified file holding the list of keys:

   gpg --print-md SHA256 ksp-fosdem2009.txt
   gpg --print-md RIPEMD160 ksp-fosdem2009.txt
  

  . Likely, the last bytes of the SHA256 and RIPEMD160 checksums are 28846ABB and 2F16 8A97 respectively.
• Print this list of keys with fingerprints on paper:

   paps --columns=2 --font=Monospace\ 5 ksp-fosdem2009.txt | lpr
  

  .
• Fill in the just calculated checksums on the designated spots on the paper.

Before leaving for FOSDEM

When packing your stuff for FOSDEM, include the prepared printed list, some proof of ID (e.g. a government issued passport) and a pen.

If you'd like to help those who've failed to submit their keys in time, bring a pile of traditional PGP keyslips with your keys fingerprint on them, too.

If you've failed to submit your key in time but would still like to join the party, be sure to bring about 200 traditional PGP keyslips with your keys fingerprint on them, as well as a government issued passport to the KSP. The other participants might be willing to sign your key.

At the KSP at FOSDEM, Sunday 8 february

At the actual Key SigningParty, Sun 8 february, from 12:00 till 14:00, at Room Ferrer, next to the Fosdem infodesk at ULB Campus Solbosch in Brussels you should bring with you:

• the prepared printed list,
• a government issued passport and
• a pen.

At the KSP, the author will read out both checksums, so that everyone can verify that their printed file is the exactly the same as everyone else's. Then, proof of other participants ID's will get verified: we will line up in the same order as on the list so that every 2 persons can mutually verify identities. Once we're lined up,

• you will ask the person in front of you: "does your key's fingerprint match with the one on the list?"
• You'll be asked the same question in return.
• If the other claims her fingerprint is correct, mark the "Fingerprint OK" box on the list.
• Then, verify identities: exchange passports. Check wether the name of the person in the passport matches the name on the list,
• check wether the person in front of you is the same as the person in the passport,
• check validity of the passport (if you can).
• If all checks pass, mark the "ID OK" box on the list. Give back the passports.
• Do one small step to the right: we'll move anti-clockwise. Repeat the procedure with the person who's in front of you now.

When you're back home

Get the keys of the participants, using ksp-fosdem2009.keyring.asc.bz2. For each key you've successfully verified at the party, verify the fingerprint of the downloaded key with the one on the list. If it matches, sign it. Sent each signed key to the uid attached to it.

You can use caff(1) for this. This tool is shipped with Debian (and Ubuntu), in the signing-party package. If you're not using a Debian-based GNU/Linux distribution, get the tool from the pgp-tools project.

If you'd prefer not to use caff, but rather like to do this by hand, then after having signed a key, mail it encrypted to the email address listed in the key.

At about early march 2009

Once the bulk of the partipants have signed the keys (I'd guess that'd be at about early march 2009), process all messages you've received from these: import your updated key to your keyring, and upload it to the Keyserver network.

See also, more information

See also the page at the fosdem.org website. News and announcements about the KSP will be sent to the FOSDEM visitors mailing list. General information on PGP and keysigning is available from mdcc.cx/gnupg. An introduction in Dutch is the document "GnuPG in 5 minuten". For English readers: especially the GnuPG Gentoo User Guide, the Wikipedia article on PGP and the The GNU Privacy Handbook are worth reading. Another nice document is The Keysigning Party HOWTO. And here's a translation auf Deutsch (ist zwar eine ältere Version).

Thanks

Thanks to the people who've helped making FOSDEM 2009 KSP possible:

 Karlheinz Geyer
 Sven Guckes
 Philip Paeps
 Peter Palfrader
 Phor aka jcapel
 Johan van Selst
 Guus Sliepen
 Christophe Vandeplas
 Wouter Verhelst
 Alexander Wirt

Hosting donated by ad 1810.

$Id: index.html 4576 2010-01-10 03:49:31Z joostvb $ $URL: svn+ssh://nagy/data/vc/svn/trunk/emerald/var/www/index.html $