NOTE: All keys must be uploaded or emailed to dirkx before noon (local time) on Monday! Email dirkx-at-apache.org or copy your fingerprint to ApacheCon2005UsKeys.

It is our intent to have a PGP key signing at some point during the conference; however we are still working on a specific time during AC-US-05. We are shooting for Monday evening 22:00 during the end of the Welcoming Reception in the main hall - just listen for people shouting!

Remember: you can always sign keys individually throughout the conference. Feel free to ask around; if you meet other people from your project in person, they often will be willing to sign keys then. Some people print up simple business cards or small slips of paper with their name, email, and PGP key fingerprints to pass out.

Update! It is confirmed that we will be having folks from CACert.org present at an actual booth during ApacheCon so you can [CaCertAssuring add points to your CACert certificates].

What is a PGP Key Signing?

This is an opportunity for committers and general attendees to sign each other's PGP or GPG keys and grow our web-of-trust.

We will try to have time both for newbies and experienced folks. Remember too that you can sign other folk's keys at any time, not just during official events. Note that we should probably save any 'how do we encourage Apache's web-of-trust' discussions or the like for another time, so we can ensure the signing party goes quickly. Oh, a picture of the somewhat-current web-of-trust within Apache folks (well, at least those who have put stuff in KEYS files) is kept at http://www.apache.org/~henkp/trust/apache.html

Committers should see cvs://committers/docs/pgp-key-signing.txt for details.

Some background on what a keysigning party is:

• http://www.cryptnet.net/fdp/crypto/gpg-party.html (how to sign using GPG)
• http://www.faqs.org/faqs/pgp-faq/ (general PGP info)
• http://nagoya.apache.org/wiki/apachewiki.cgi?SigningReleases (how we sign Apache releases)
  

Should you wish to participate, here are the instructions:

Preparation - BEFORE ApacheCon

• E-mail your key to Name-TBD at NameTBD <at> apache <dot> org as soon as possible. To get your key in emailable form use (PGP works similarly):

gpg --armor --export FINGERPRINT

The key list, and a PGP (or GnuPG) keyring export will be available for your convenience at the following URL:

http://people.apache.org/~URL to be provided

The PGP Keysigning Event

1. As an opening treat, we will have a short presentation by Ben Laurie and David Reid, authors of BaDCA, the Apache Certificate Authority. They will give us a brief overview of the CA, and how the PGP web of trust fits into this.
2. Everybody gets a print-out of the key list. I will make those and have them available.
3. The key entries on the printout are numbered. All participants line up in the order of their keys.
4. The list will also be on the projection screen. You verify that your entry on the printout is correct: that the key ID, fingerprint and name + e-mail information match what you submitted. You also verify that your entry on the printout is the same as your entry on the screen.
5. I will call out the name of each participant, in order. When your name is called, tell all participants loudly whether your information as verified in step 3 is correct.
6. As participants positively verify their information, check whether their entry on the screen matches their entry on your printout. If so, you can place a check mark in the first of the two boxes at the right of your printout.
   

Why do we do this? To make sure we all have the same list, and that the list is correct. You are verifying that I didn't make any mistakes compiling the list, or that I didn't nefariously doctor anyone's key.

1. Once everyone's key data has been verified, the fun part starts. We're going to double back the line, have each participant walk past everyone else. As you meet each other participant, you identify them. If you make positive identification, you place a check mark in the second box at the right of your printout.
   

How do you identify people? That is up to you. Some folks check each other's passport or driver's license, but that means you trust the government to provide positive identification. And who trusts the government anymore these days? Some folks just know each other, or, if they haven't met before the conference, have gotten to know each other well enough to assert that they know who they are. It's really up to you, and if you can't identify the other person to your liking, don't place that checkbox and don't sign their key.

1. After everyone has met everyone else, you should have a list with a bunch of checkmarks in the right columns. Put this list in your pocket. Back in your hotel room, pull out the list, and sign the keys that you gave two checkmarks. Then, export that signed key and mail it back to the owner. By mailing it back to them, you make sure that they have it, can upload it to their keyserver of choice, append it to the KEYS file in the Apache repository, etc. Furthermore, by mailing them their signed key, you remind them that they owe you the same favor. (:
   

What you should bring:

1.#1 Yourself. Obviously.

1. Your beverage of choice (carry it over from the receiption)
2. A pen. Or two, so you can give one to your neighbor in line who forgot to bring one.
3. Something to identify yourself with. Your face, your voice, unique pheromone pattern, etc. The better you can convince your fellow participants that it's really you, the more signatures you will get.
4. No computer.
   

No computer? No. We're not running the PGP (or GnuPG) program at the Keysigning Event, and we're not actually signing keys at the event. You're standing in line, juggling paper, pen and your beverage of choice... no way you can manipulate a computer while that's going on. And you want to be paying attention too, especially during the key verification phase. So, no slashdotting either. Don't worry, it'll be OK. We all spend too much time with our computers anyway.

This ends the PGP Keysigning event.

The Actual Signing of Keys

Notice anything conspicuously absent from the Keysigning Event? Right, no keys are actually signed at the event. The event is purely meant to verify participants identities and to connect persons to keys. After the event, you sit at your computer, with your list of fingerprints, and sign the keys of everyone on the list whose identities you verified. Then, mail the signed keys back to their owners. You could upload a signed key to your favorite keyserver and hope the owner finds it, but mailing it directly back to them is much more straightforward. And it may prompt the other person to return the favor.

One note: everyone has their own criteria for signing keys. Some people are fairly lax, and will sign anyone's key that they've met, or even just exchanged regular emails with. Other folks will only sign keys when they can prove your identity, or will use your key to send you a couple of messages over a period of time to verify that you use it. So don't be offended if someone doesn't sign your key immediately after the event.

ApacheCon EU 2005

The keysigning there was organized by SanderTemme. He did a great job of this last year at AC-US, so I presume that it will be similarly successful this year. The current official time for this event will be 20:00 (8PM for you Americans) on Wednesday, July 20.

Keys for signing at ApacheCon US 2005

Keysigning will happen on monday; 19.30 - in the main exposition area.

Please add your keys to ApacheCon2005UsKeys.