PenguinTrust
Contact
Name: Jens Kubieziel
Mail: jens@kubieziel.de
Phone: +49 163 6156198

Key signing on Chemnitz Linux Days

Date of key signing

The key signing party will once again take place during the Chemnitzer Linux Tag 2009. We will meet at 6:15 pm on Saturday (14 March) in the cafeteria (across from the conference building). Our keys and fingerprints will be compared as usual.

What is keysigning?

Encryption of data is necessary for various confidential issues. One solution of this problem is offered by GnuPG. By using GnuPG, you can create a pair of keys associated with name and email address in order to protect your data.

In case another person would like to sent you confidential information he has the opportunity to search for your public key and use it in order to encrypt his email. However how can this person ensure that the denounced key really is the appropriate one? Finally everybody is able to create a key by using any name. In order to obtain more security, so called key signing parties are held. This means that people will meet and compare their identity cards in order to ensure that the person related to the key and the person met in reality are the same. When this is clear they sign each others key. Users of GnuPG are able to show a list of all subscribers by typing the command gpg --list-sigs KEYID (KEYID stands for a distinct key name). In general, it can be assumed that a key is more trustworthy the more signings it has.

We would like to meet at the Chemnitzer Linux Tag in order to verify the data of every participating key. The advantage of key signing at central events is the efficiency due to a congregation of many owners at a particular place. That strengthens everybody's web of trust.

As an example, you can have a look at the below-mentioned picture of the participant's the web of trust before the key signing: Web of Trust vor dem Keysigning

After our keysigning event the web of trust changed this way: WoT nach Keysigning

Preparation of the party

What do you have to do in order to take part in the key signing?

  • Create a pair of keys, if not already done
    • In case of using GnuPG type gpg --gen-key for generating. For further information read the HOWTO.
    • If you already own a key, it should be registered on a public key server.
  • The registering period is over. If you want to attend, print at least onehundred fingerprints of your key and come to the keysigning. I will give there further explanations how to take part.
  • Download the list of subscribers and verify that your key is included. If your key is not listed within two days, please get again in touch with the above-named address. The final list will be provided a few days before the Chemnitzer Linux Tage All members will receive information via email.
  • Calculate the MD5, SHA1, or SHA256 hash sum of the list. This can be done by using the programs md5sum, sha1sum, or sha256sum from GNU Coreutils. Also GnuPG (gpg --print-mds $DATEI) or another program can perform this task. The calculated value has to be entered into the appropriate field of the list.
  • Print out the list and bring it along with you when visiting the Chemnitzer Linux Tage.

Procedure of key signing

As already mentioned, the identity of every key owner has to be verified by means of an official document. Most appropriate are the identity card or passport. It should be valid on day of key signing.

For signing the keys we are going to meet in the cafeteria (Mensa) across from the conference building. There we will verify the identities one after another. Our experience showed that it is useful to project a picture of the passport or ID card onto the wall. Thus, all potential subscribers can verify the document simultaneously. If you prefer to have a personal look onto the ID card, you are welcome to do so.

Subsequently, you can sign all keys you trust in at the computer. Using GnuPG you have to type gpg --sign-key KEYID bzw. gpg --edit-key KEYID in order to do that.

Indeed, it is better to automatise the signing. The small programme caff is suited best for this job.

Further information

For further questions, please do not hesitate to get in touch with me.

My email address: jens@kubieziel.de

For additional information you can also read the GPG key signing party HOWTO

last modified on 03/16/2009 by Jens Kubieziel