| gabriel rosenkoetter on Thu, 06 Mar 2003 00:01:07 -0500 |
|
Ordinarily, whoever's running the keysigning sends this only to the participants, but it's been a while since it was gone through publicly, so I'm doing it on the list. My apologies if this bores you stiff. Note that you shouldn't run any of the commands I tell you to run here without first looking at your local manual pages and making sure that I'm not deviously telling you to do something horrific. If you don't use gpg, these commands probably don't apply to you. Check your OpenPGP software's documentation, and if you still can't figure it out, ask here. What's already happened: - You have seen photo IDs and verified that what I told you various people's key fingerprints are match what they think their key fingerprints are. What you SHOULD do now: - Note that a keyid is listed on the first line of each block of the output for each key in paper you came away from the meeting with. Failing that, it's (probably) the last eight characters of the key's fingerprint. - Obtain a copy of the public keys whose fingerprints you've verified. You can do this in a variety of ways: - Download http://www.phillylinux.org/keys/phillylinux.gpg. (This is the file that I printed[1].) This won't work for all keys because some of those involved tonight weren't in that file. - Retrieve the appropriate key from a keyserver. This won't work for all keys, and some keyservers don't synchronize with others. To try this, do: gpg --keyserver <keyserver> --recv-key <keyid> You've got a good chance of a response if you use wwwkeys.pgp.net. I prefer keyserver.kjsl.com because it doesn't mangle key blocks including sub keys nor those including more than one self-signature. - Just email (one of) the address(es) listed with the key and ask for a copy. Ask them to encipher it to YOUR public key. Provide your public key if it's not readily accessible by one of the above methods (or just to be a nice person). - Verify that the fingerprint of the public key you've obtained matches the fingerprint that you confirmed at the meeting. Do this by running: gpg --fingerprint <keyid> Then make sure that the key fingerprint displayed matches the one that you verified. - [optional steps here below] - If the fingerprint matches, sign the key with: gpg --sign-key <keyid> - Give the signed key back to its owner. Don't do this by sending it to a keyserver without the owner's explicit consent, even if you found it there[2]. The owner wants the output of this command: gpg --export <keyid> That'll produce binary output on stdout. Redirect it to a file. If you want to see it in ASCII, include a --armor (or -a). What you MAY do now: - Further verify a given public key by emailing an at least pseudo-random string to the email address listed with the key. If you're really paranoid, email a separate string to each of the keys. Encipher this email to the public key and sign it with your private key. You can base two important things off of this information: - How much you believe that the person is who they say they are. (This is faulty because the fact that you got a valid response back from a given email address doesn't mean that the owner of the key is the only person with access to that email address, just that they're the only person with access to their private key and that they *can* receive email at that email address.) This is a question --sign-key will ask you. - How much you trust that person's process of verifying OTHER people's keys. The point is not whether they reply to your request, but whether they request this themselves. This affects what GnuPG calls "ownertrust". ownertrust doesn't get set by default; you can change it by using --edit-key. - Reply to requests for the same. If you don't bother, the other person will probably still sign your key, but the trust selections they make based on it will probably be subject to the above. What you SHOULD NOT do (ever): - Sign any key without first verifying its key fingerprint with the owner. - Store your private key insecurely. This includes storing it on a system where another user has access to your files. This doesn't give them a free pass to your secrets (they still need to figure out your passphrase), but it makes it a lot easier for them to attempt getting that access. [1] Like how that was printed? I did that with: gpg --no-default-keyring --keyring ./phillylinux.gpg \ | enscript -2r -MLetter --margins=::30:60 You can probably leave off the -M and --margins; I do that because I broke my Ghostscript install and didn't feel like fixing it in the ten minutes I wanted to spend printing and photocopying at work. The two-up magic is -2r and the more general processing of text into Postscript with fun filters magic is enscript. I highly recommend it for many purposes. If you're one of those people who likes proofing code on paper, there's nothing better. [2] Some people don't want their keys in keyservers at all. Others want them inserted through a particular route. It's best to respect their wishes. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgphBLxwstwTT.pgp
|
|