PGP Keysigning Party
Deadline:
All keys must be received in the submission email box by Wednesday, 3 March 1999, 18:00 (Singapore Time !)
Submission email address:
pgp@apricot.net
Subject:
APRICOT PGP KEY
Format:
Please send your key as normal ASCII text. The keys should NOT be sent as attachments or in
any proprietary format (like eg MS Word etc).PGP Formats Supported PGP 2.6 (RSA) and PGP5 (RSA and D/H) Note: Keys sent to any other address or sent with a different subject may not be included in the official Apricot 99 PGP keyring!
| Date: | Thursday, 4 March 1999 |
| Time: | 18:00 - 19:30 |
| Venue: | Suntec City Convention City Room MR203 (Level 2) |
| Status: | BOF (Birds of a Feather ...) (ie *all* are welcome, as long as your key has been received on time. No APRICOT/SLC etc registration required !) |
Please check the APRICOT Notice board for any changes in
Room and Time !
1. All people who have a PGP key
The PGP Keysigning Party will enable you to obtain additional signatures (among others by noted net-personalities) for your PGP key.
2. All people who have just started to use PGP
If you just started using PGP, It is unlikely that your key has been signed by (m)any other PGP users so far. To ensure that your key is trusted by the majority of the PGP users all over the world, you will be interested to have well-known net-personalities (and other people) sign your key.
3. Those who do not have a PGP key yet
You will need to:
read up on PGP itself
create your own PGP key
to attend the keysigning party
4. Organizations
Many organizations use PGP to sign official announcements etc. Usually these organizations publish their PGP key on the web. As additional security, you may want your key to be signed by other trusted
- extract your public key using one of the following commands (depending on your PGP version):
UNIX PGP 2.6* UNIX PGP 5.* Win95 or other GUI implementation Use the export function to export your key to a text file
For more details on the PGP commands refer to the PGP manual
- send in your PGP public key.
(the PUBLIC KEY!!! Never give out your PRIVATE key to anyone!!) to the submission email address listed above. Please do NOT send the key as an attachment or in any other format but ASCII ARMORED TEXT! You could cut and paste the ascii armored PGP key into the email body if necessary!
- write down (print out) your own public key's fingerprint and the Key ID.
Under UNIX, you can obtain the key ID and fingerprint using these commands:
UNIX PGP 2.6* UNIX PGP 5.* Win95 or other GUI implementation Check the Key Properties (in PGPkeys)
Here is an example of a PGP key ID and fingerprint extracted under UNIX (PGP 5.0i):
Note: This also lists the signatures on this key, but we need only the first few lines (green colored):
$ pgpk -ll mathias Type Bits KeyID Created Expires Algorithm Use sec+ 768 0x25E082BD 1995-11-15 ---------- RSA Sign & Encrypt f16 Fingerprint16 = 1A 8B FC D4 93 F1 9A FC BD 98 A3 1A 0E 73 01 65 uid Mathias Koerber <mathias@koerber.org> SIG 0x25E082BD 1996-08-22 Mathias Koerber <mathias@koerber.org> uid Mathias Koerber <mathias@staff.singnet.com.sg> sig 0x101E3A11 1998-02-23 Alfonso B. Carandang <abc@epic.net> SIG 0x25E082BD 1996-06-09 Mathias Koerber <mathias@koerber.org> uid mathias@singapura.singnet.com.sg SIG 0x25E082BD 1995-11-17 Mathias Koerber <mathias@koerber.org> uid Mathias Koerber <Mathias_Koerber@pobox.org.sg> SIG 0x25E082BD 1995-11-16 Mathias Koerber <mathias@koerber.org> uid Mathias Koerber <mathias@singnet.com.sg> sig 0x3022C951 1995-12-18 William Allen Simpson <Bill.Simpson@um.cc.umich.edu> sig? 0x0DBF906D 1996-03-09 (Unknown signator, can't be checked) sig? 0x579532CD 1995-12-08 (Unknown signator, can't be checked) sig? 0x7B7AE5E1 1995-12-18 (Unknown signator, can't be checked) sig 0x76875905 1995-12-10 Angelos D. Keromytis <kermit@forthnet.gr> sig 0x466B4289 1995-12-07 Theodore Ts'o [SIGNATURE] <tytso@mit.edu> SIG 0x25E082BD 1995-11-15 Mathias Koerber <mathias@koerber.org> uid Mathias Koerber <mathias@singnet.com.sg> <Mathias_Koerber@pobox.org.sg> SIG 0x25E082BD 1995-11-15 Mathias Koerber <mathias@koerber.org>
- periodically check the noticeboard, where the list of keys submitted for the PGP keysigning party will be posted. Your key must be submitted by the deadline to be called during the keysigning party and included in the official APRICOT PGP keyring. If you submitted your key, and it does not appear on the list, please submit it again before the deadline!
- Bring along proper PHOTO identification
For other participants to sign your PGP key (which is the whole aim of this event), they must be able to verify that the key belongs to you and that you really are who you claim to be.
- if you submitted a PGP key for your organization, please bring along identification which proves that you are indeed representing that organization
letter by the president/management etc on their stationery
namecard
company pass etc
- obtain the list of submitted keys (this will be provided as a printout at the beginning of the party).
- check that YOUR OWN public key is listed on the printout, and check its PGP KEY FINGERPRINT. Check it carefully. The fingerprint must match in *every* character
Procedure
- During the party, we will one by one read out aloud each PGP key submitted including the KeyID, the attached userIDs (names) and the Key Fingerprint. During this the owner of the key will stand up to be recognized by the crowd.
(We may need each key-owner to read their own Key fingerprint etc, unless we manage to rustle up a suitable Voice program to automatically read the keys)
- During this, each participant should
check that the userid, name, keyid and fingerprint match what is printed on your printout
ensure that the person standing up acknowledges the key as his own
note which keys checked out ok and which ones haven't
- After all keys have been read, you are encouraged to
verify the owners' identities by checking their supporting documents (Photo ID)
especially carefully verify the credentials for those who want an organization's key signed.
- obtain the official APRICOT 99 keyring from http://www.koerber.org/apricot99/
This will be available sometime after the keysigning party. A more detailed announement will be posted on the APRICOT Notice Board. There will be 2 keyfiles, one with only PGP2.6 keys, the other containg all (PGP2.6 and PGP5) keys
- decide whose keys you would want to sign (using your notes made during the keysigning party)
You should only sign keys if you have *very carefully* verified the key's integrity and the owner's supporting documents (passport etc). If there is any doubt as to a person's identity or ownership of a key, do NOT sign that person's key !!
- sign these people's keys with your own PGP PRIVATE KEY, using your PGP software
- export/save the signed keys into ASCII files (see the PGP manual)
- either send the signed public keys to the keys owner (recommended) or to one of the public PGP keyservers.
It is recommended that you send the key to the owner, so that they can decide themselves which signatures to send to the keyservers.
- If you had presented your own key, you may want to check the public pgp keyservers periodically to see whether other participants have sent in new signatures for your own key. If so, you may want to obtain you own public key from the server and add it (actually only the additional signatures) to your own keyring. If another participant has sent you your key with a new signature, you will want to add the new signature to your own keyring, and then send the key to the public PGP keyservers.
PGP (Pretty Good Privacy) is a standard (and a program implementing that standard) providing strong authentication and encryption for email (and other networking applications such as internet phone) using a public key system.
From the PGP FAQ (http://www.at.pgp.net/pgpnet/pgp-faq/):
You should encrypt your e-mail for the same reason that you don't write all of your correspondence on the back of a post card. E-mail is actually far less secure than the postal system. With the post office, you at least put your letter inside an envelope to hide it from casual snooping. Take a look at the header area of any e-mail message that you receive and you will see that it has passed through a number of nodes on its way to you. Every one of these nodes presents the opportunity for snooping. Encryption in no way should imply illegal activity. It is simply intended to keep personal thoughts personal.
Xenon <an48138@anon.penet.fi> puts it like this:
Crime? If you are not a politician, research scientist, investor, CEO, lawyer, celebrity, libertarian in a repressive society, investor, or person having too much fun, and you do not send e-mail about your private sex life, financial/political/legal/scientific plans, or gossip then maybe you don't need PGP, but at least realize that privacy has nothing to do with crime and is in fact what keeps the world from falling apart. Besides, PGP is FUN. You never had a secret decoder ring? Boo!
-Xenon (Copyright 1993, Xenon)
Again, see the FAQ: http://www.at.pgp.net/pgpnet/pgp-faq/faq-06.html
A PGP keysigning party is not a party in the sense of celebration. It is unlikely that alcohol will flow or hors d'oevres be passed out. As PGP uses a public key system, it usually is easy to obtain some person's public PGP key (which is required to securely converse with that person or to verify that person's authorship or identity). The usual method for this is to either ask the person directly for their PGP key. Another method is to request it from a public PGP keyserver, which is like a worldwide replicated directory of PGP public keys.
You can find more information on PGP at these webpages:
PGP Inc.: http://www.pgp.com
PGP.net: http://www.pgp.net
International PGP Homepage: http://www.ifi.uio.no/pgp/
There is a PGP discussion newsgroup named comp.security.pgp and its FAQ:
There is a book on PGP published by O'Reilly & Associates:
Simson Garfinkel: PGP: Pretty Good Privacy
1st Edition December 1994
1-56592-098-8, Order Number: 0988
430 pages, $29.95