PgpKeySigning

It is our intent to have a PGP key signing at some point during the conference. SanderTemme will be coordinating this event. He did a great job of this last year, so I presume that it will be similarly successful this year. The current official time for this event will be #### TO BE DECIDED ###

What is a PGP Key Signing?

This is an opportunity for committers and general attendees to sign each other's PGP or GPG keys and grow our web-of-trust.

We will try to have time both for newbies and experienced folks. Remember too that you can sign other folk's keys at any time, not just during official events. Note that we should probably save any 'how do we encourage Apache's web-of-trust' discussions or the like for another time, so we can ensure the signing party goes quickly. Oh, a picture of the somewhat-current web-of-trust within Apache folks (well, at least those who have put stuff in KEYS files) is kept at http://www.apache.org/~henkp/trust/apache.html

Committers should see cvs://committers/docs/pgp-key-signing.txt for details.

Some background on what a keysigning party is:

• http://www.cryptnet.net/fdp/crypto/gpg-party.html (how to sign using GPG)
• http://www.faqs.org/faqs/pgp-faq/ (general PGP info)
• http://nagoya.apache.org/wiki/apachewiki.cgi?SigningReleases (how we sign Apache releases)
  

Should you wish to participate, here are the instructions:

Preparation - BEFORE ApacheCon

• E-mail your key to Sander at sander <at> temme <dot> net as soon as possible. To get your key in emailable form use (PGP works similarly):

gpg --armor --export FINGERPRINT

1. SanderTemme will compile a list of the fingerprints of all the keys he receives and make this list available for download. You will receive an e-mail message with the download URL. For convenience, a keyring containing all the keys on the list will be made available as well.
2. You download the list, take its SHA-1 checksum, print out a hardcopy of both the list and the checksum and bring those to the conference. This is very important: no physical copies of the list will be available at the keysigning event.
3. Verify that your entry in the list is correct.
   
   

What to Bring To The Keysigning

1. The printed list (see below)
2. Your checksum of the downloaded list file (see above)
3. A pen. Or two. Maybe different colors. Go to town.
4. Some form of ID... passport, driver's license, unique pheromone pattern, anything that will convince your fellow participants of your identity. Note that it is up to each participant's judgement whether your ID has been sufficiently verified to sign your key.
5. No computer.
   

No computer? No. Don't bring your computer to the event. No keys are actually signed at the event. Really paranoid fellow participants will point to the dangers of shouldersurfing for your private key passphrase, and the presence of computers at the signing event would interfere with the smooth progress thereof. We all spend too much time with our computers anyway.

The event will probably proceed as follows: (these are the instructions from last year)

The Keysigning Event

1. After a short introduction, The SHA-1 checksum of the fingerprint list will be read. You can verify this checksum against the checksum of the file you downloaded. This checksum is your guarantee that we are working with the same file that you downloaded.
2. Participants will be asked to line up in the same order in which their keys appear in the list.
3. The name of every participant will be read, in order, and they will be asked if their key fingerprint provided on the list is correct. As participants confirm that their fingerprints are correct, all other participants can place a check mark at that entry in the list.
4. All participants pull out a means of verifying their own identity. This is usually a passport or driver's license
5. The participant at the head of the line turns around and walks down the line, verifying each participant's identity while they verify his/hers. As each participant verifies another's identity, they place a second checkmark next to that person's name. The first participant is followed by the second participant and so on, until the line has completely folded onto itself. The list entries of everyone present whose identity was verified should now have two checkmarks next to them.
   

Note: Shane suggests that if this is popular, we split the room into two and have each half of the room cross-sign; this isnt quite as good for web-of-trust strength, but will be quicker if we have a lot of people. Also, Im sure there's some way to do a circle instead of a line but I havent figured out the optimal way to explain this. SanderTemme says Let's cross that bridge when we arrive at it. Last year we had thirty-plus people and IHHO that was quite manageable.

This ends the PGP Keysigning event.

The Actual Signing of Keys

Notice anything conspicuously absent from the Keysigning Event? Right, no keys are actually signed at the event. The event is purely meant to verify participants identities and to connect persons to keys. After the event, you sit at your computer, with your list of fingerprints, and sign the keys of everyone on the list whose identities you verified. Then, mail the signed keys back to their owners. You could upload a signed key to your favorite keyserver and hope the owner finds it, but mailing it directly back to them is much more straightforward. And it may prompt the other person to return the favor.

One note: everyone has their own criteria for signing keys. Some people are fairly lax, and will sign anyone's key that they've met, or even just exchanged regular emails with. Other folks will only sign keys when they can prove your identity, or will use your key to send you a couple of messages over a period of time to verify that you use it. So don't be offended if someone doesn't sign your key immediately after the event.