Web Of Trust BOF

Let's sign our GPG keys to increase the web of trust. Also bring your CAcert and Thawte personal certificates for signing, if you have any.

Also see: graphical frontends to GnuPG, I can recommend KGpg.

Before the conference

1. Download a copy of signing-party.
http://ftp.debian.org/debian/pool/main/s/signing-party/signing-party_1.1.1.orig.tar.gz

2. Print your key's fingerprint. Specifying either e-mail address or short fingerprint works.

~/signing-party-1.1.1> ./gpg-key2ps/gpg-key2ps user@example.com > print-me.ps
~/signing-party-1.1.1> ./gpg-key2ps/gpg-key2ps 0xABCDEF01 > print-me.ps

If you can't run that program, run the command below instead and paste the output several times into a text editor or word processor until it fills a page and print that.

> gpg --fingerprint user@example.com
> gpg --fingerprint 0xABCDEF01

3. Upload your key to a public key server.

Bullets for your reminder:

  • Did I remember to print my GPG key fingerprints?
  • Did I remember to bring my photo ID card?

During the WebOfTrustBOF

Each one receives a piece of someone's paper with a printed key fingerprint. Each receiver examines his photo ID card. Does the photo match the face? Does the ID card name match the fingerprint uid name? If yes, the receiver hand-writes his signature on the piece.¹
Repeat until it was everyone's turn to give paper pieces/show ID card.

Further reading: http://en.wikipedia.org/wiki/Key_signing_party

¹ Prevents tampering: without signature, someone intending to subvert the system could stealthily slip a piece into your pocket which you sign later, thinking that you have verified the ID.

After the WebOfTrustBOF

Run the program caff from the signing-party package. It will setup defaults and print some nice self-documentation. Edit ~/.caffrc and correct the values for:
$CONFIG{'owner'}
$CONFIG{'email'}
$CONFIG{'keyid'}

Now take all paper pieces that have your hand-written signature and enter their key IDs (that's the last 8 hexdigits of the full fingerprint) into caff, like this:

> perl caff 1245780A 12345123 FFFFEECD

When you are prompted to cryptographically sign a key, take the time and verify that the full fingerprint on screen matches the full fingerprint on the paper piece.

You can do a dry-run (pretend) by supplying the option '--mail no' to caff, remove the ~/.caff directory to start over from the beginning. Read perldoc caff for more details. Read README.gpg-agent in the caff directory to find out how to avoid having to type your passphrase over and over again.

Live help: talk to daxim in #yapc on MagNET. irc://irc.perl.org/yapc

Duration

20~30 minutes

BOF organiser

Lars Dɪᴇᴄᴋᴏᴡ (‎daxim‎) 0xE5F4D07A

I have only experience with GPG keys. Knowledgable CAcert/Thawte certificate holders, please organise among yourselves.

Participants

Enter your Act IDs below. If you store your key on a public keyserver, also add your key ID (last 8 hexdigits of the fingerprint)/update your Act profile:

Last modified: 02/08/09 02:20 by Alistair MacLeod (‎anm‎)

Tags: bof cacert gpg wot

Home | Edit this page | Tags | Recent changes | History