We will have a PGP Key Signing at the conference. It will happen at the end of the Welcome Reception, early evening on Wednesday October 11, 2006. The exact location will be announced during the reception – just listen for people shouting!
Remember: you can always sign keys individually throughout the conference. Feel free to ask around: if you meet other people from your project in person, they often will be willing to sign keys. Some people print up simple business cards or small slips of paper with their name, email, and PGP key fingerprints to pass out.
This is an opportunity for committers and general attendees to sign each other's PGP or GPG keys and grow our Web Of Trust.
We will try to have time both for newbies and experienced folks. Remember too that you can sign other folk's keys at any time, not just during official events. Note that we should probably save any 'how do we encourage Apache's web-of-trust' discussions or the like for another time, so we can ensure the signing party goes quickly. Oh, a picture of the somewhat-current web-of-trust within Apache folks (well, at least those who have put stuff in KEYS files) is kept at http://www.apache.org/~henkp/trust/apache.html
Committers should see https://svn.apache.org/repos/private/committers/docs/pgp-key-signing.txt for details.
Some background on what a keysigning party is:
Should you wish to participate, here are the instructions:
$ gpg --armor --export KEY_ID > mykey.asc
$ echo "Hey Sander, here's my key!"; echo ""; gpg --armor --export 152924AF | mail -s "Key for ApacheCon Keysigning" sctemme@apache.org
The key list, and a PGP (or GnuPG) keyring export will be available for your convenience at the following URL:
http://people.apache.org/~sctemme/ApconUS2006/keysigning/
Then, send the owner of the key a signed, encrypted e-mail telling them that you have signed their key. Hopefully they will do you the same favor.
What you should bring:
1.#1 Yourself. Obviously.
No computer? No. We're not running the PGP (or GnuPG) program at the Keysigning Event, and we're not actually signing keys at the event. You're standing in line, juggling paper, pen and your beverage of choice... no way you can manipulate a computer while that's going on. And you want to be paying attention too, especially during the key verification phase. So, no slashdotting either. Don't worry, it'll be OK. We all spend too much time with our computers anyway.
This ends the PGP Keysigning event.
Notice anything conspicuously absent from the Keysigning Event? Right, no keys are actually signed at the event. The event is purely meant to verify participants identities and to connect persons to keys. After the event, you sit at your computer, with your list of fingerprints, and sign the keys of everyone on the list whose identities you verified. Then, mail the signed keys back to their owners. You could upload a signed key to your favorite keyserver and hope the owner finds it, but mailing it directly back to them is much more straightforward. And it may prompt the other person to return the favor.
One final note: everyone has their own criteria for signing keys. Some people are fairly lax, and will sign anyone's key that they've met, or even just exchanged regular emails with. Other folks will only sign keys when they can prove your identity, or will use your key to send you a couple of messages over a period of time to verify that you use it. So don't be offended if someone doesn't sign your key immediately after the event.