It is our intent to have a PGP key signing at some point during the conference. SanderTemme is, at least in theory, coordinating this event. He did a great job of this last year, so I presume that it will be similarly successful this year. However, we don't, at this time, know exactly when that event will take place.
Sander?
This is an opportunity for committers and general attendees to sign each other's PGP or GPG keys and grow our web-of-trust.
We will try to have time both for newbies and experienced folks. Remember too that you can sign other folk's keys at any time, not just during official events. Note that we should probably save any 'how do we encourage Apache's web-of-trust' discussions or the like for another time, so we can ensure the signing party goes quickly. Oh, a picture of the somewhat-current web-of-trust within Apache folks (well, at least those who have put stuff in KEYS files) is kept at http://www.apache.org/~henkp/trust/apache.html
Committers should see cvs://committers/docs/pgp-key-signing.txt for details.
Some background on what a keysigning party is:
Should you wish to participate, here are the instructions:
<code>gpg --armor --export FINGERPRINT</code>
No computer? No. Don't bring your computer to the event. No keys are actually signed at the event. Really paranoid fellow participants will point to the dangers of shouldersurfing for your private key passphrase, and the presence of computers at the signing event would interfere with the smooth progress thereof. We all spend too much time with our computers anyway.
The event will probably proceed as follows: (these are the instructions from last year)
This ends the PGP Keysigning event.
Notice anything conspicuously absent from the Keysigning Event? Right, no keys are actually signed at the event. The event is purely meant to verify participants' identities and to connect persons to keys. After the event, you sit at your computer, with your list of fingerprints, and sign the keys of everyone on the list whose identities you verified. Then, mail the signed keys back to their owners. You could upload a signed key to your favorite keyserver and hope the owner finds it, but mailing it directly back to them is much more straightforward.
One note: everyone has their own criteria for signing keys. Some people are fairly lax, and will sign anyone's key that they've met, or even just exchanged regular emails with. Other folks will only sign keys when they can prove your identity, or will use your key to send you a couple of messages over a period of time to verify that you use it. So don't be offended if someone doesn't sign your key immediately after the event.