Tux-UKUUG logo
Linux 2004
Conference and Tutorials
 ---------------------------------------------------
Thursday 5th to Sunday 8th August
Leeds, West Yorkshire

Keysigning

We will be running a GPG keysigning during the event and hope that most conference delegates will take part in this. This is an excellent chance to meet up with a well-connected group of geographically distributed developers and expand the Web Of Trust. There will be an introductory workshop for people wanting to learn more about GPG.

In order to participate, you will need an OpenPGP-compatible key. We recommend the use of GnuPG. If you do not already have a key, generate one and send it to a keyserver (we recommend subkeys.pgp.net and recommend against www.keyserver.com).

As we anticipate in excess of a hundred people will participate in the keysigning, we shall use a variant of the Efficient Group Key Signing Method.

Register for the keysigning

  • Send mail to keys-at-ukuug.org including the output from gpg --fingerprint <keyid>.
  • Please do this before July 27th so people have time to complete the steps below.

Before the conference

  • Once the deadline has passed, the master list will be available from this page.
  • Download it and check that the fingerprint for your key is correct.
  • Calculate the SHA checksum for this file using $ gpg --print-md sha1 fingerprints.txt
  • Write down the checksum and bring it with you.

During the conference

  • Everyone who signed up for the keysigning will have a list of keys with their fingerprints provided to them at registration.
  • Have your ID with you so people who don't know you personally can verify your identity.
  • Have your copy of the checksum with you so you can verify that everybody has the same fingerprint file.
  • Attempt to meet as many people as you can who're participating before the keysigning BOF.

At the keysigning event

  • The facilitator will stand up at the front of the room and recite the checksum they calculated.
  • Then we will attempt to make sure that everybody has verified everybody else's identity.
  • The normal way to do this is to form two parallel lines facing each other.
  • You verify identity with the person opposite you and then shuffle clockwise to meet the next person.
  • This method is sometimes referred to as the bicycle chain.
  • The important thing is to keep moving to prevent other people from getting frustrated by not having anyone near them to verify.

After the conference

You now have a piece of paper with various cryptic marks on it sitting in front of you and the daunting task of signing dozens of keys by typing your passphrase over and over again. Fortunately, there's several ways to automate the process.

To retrieve all the keys in the keyring easily, fetch the keyring and import it with gpg --import.

I suggest signing keys in batches to prevent boredom. One useful tip is that you can specify a key by full fingerprint to gpg like so: gpg --sign-key 38FAA231A84DE7C5724850CC2218C81E8E7C03FF Since the fingerprints file has all the fingerprints written down in it already, you can simply copy the fingerprints you verified and pass them to gpg.

You may wish to use a little wrapper program I wrote called gpg-multi so you only have to enter your passphrase once. You can download it from here (sig). You might not want to automate this step. Forgetting the passphrase is the most common reason for keys becoming unused. Typing it in a hundred times is a great way to learn it.

Once you've signed the keys you've verified, don't forget to send them to a keyserver. We will update the resulting web of trust on a regular basis.

If you're not on the list

You can still participate.

  • Download the fingerprint file, print it and write the fingerprint checksum on the printed copy.
  • Also print lots of copies of your own fingerprint.
  • Give copies of your fingerprint to other people at the same time you verify the checksum.

If you're going to miss the keysigning BOF

If you wander around looking for people to sign, you'll find a lot of people before the BOF. There's no need to attend the actual meeting if it conflicts with another BOF you want to attend or you have to leave before the BOF.

If you forgot the checksum

You can still participate. You can write down the checksum that other people tell you and, when you get home, verify that the file matches their checksum, then sign their keys. In order for others to be able to sign your key, the best thing to do is give them a copy of your fingerprint.

If you forgot your passphrase

There's basically no way to recover from this, sorry. You should probably generate a new key and start getting that key better-connected. If you had the foresight to generate a revocation certificate, you should add that to your old key and upload it so that people know to not use that key any more.

More information

For more information on keysignings, the Web of Trust, GnuPG and Public Key Infrastructure, try the following links:

Programme Leeds
& Directions 		Registration Keysigning Call for Papers
Timetable Accommodation Photos Papers & Slides Feedback

S  P O N S O R S
Silver Sponsor - Fotango
Fotango
SILVER SPONSOR 		Astaro Network Firewall
Astaro Network Firewall
IBM
IBM 		School of Computing at Leeds
Leeds University

M  E D I A   S  P O N S O R S
Linux Magazine
Linux Magazine 		The Register
The Register
Linux User
Linux User & Developer 		Need To Know
NTK
For more information please contact UKUUG Problems? e-mail webmaster
© Copyright 2004 UKUUG Ltd