| gabriel rosenkoetter on 5 Feb 2004 04:35:03 -0000 |
|
[If you know that someone--besides Nelson--participating in
tonight's keysigning is not, at present, on the PLUG mailing list,
please forward this to them.]
Okay, so you got a slip of paper from a few (or, perhaps, a bunch)
of people, and you verified that the name on that slip of paper
matched up with the name on a photo ID they showed you with a
photograph that more or less resembled. That's great, but it's all
physical.
I've tried to make these instructions clear. It sure looks like a
lot of text. Please don't be scared: this isn't very complicated,
really.
From here, you should:
- Look carefully at those pieces of paper. They'll look something
like this:
pub 1024D/0CF9091A 2001-07-23 gabriel rosenkoetter <gr@eclipsed.net>
Key fingerprint = 1175 C547 F847 8340 AC62 6C20 F5E8 5A70 0CF9 091A
uid gabriel rosenkoetter <rosenkoetter@pobox.com>
uid gabriel rosenkoetter <gabriel@rosenkoetter.net>
sub 1024g/E2AD2F4B 2001-07-23 [expires: 2006-01-27]
The important pieces of information here are the name ("gabriel
rosenkoetter"), the email addresses on any additional user IDs
(abbreviated uid), the key's fingerprint ("1175 C547 F847 8340 AC62
6C20 F5E8 5A70 0CF9 091A"), and the key ID (keyid), which is listed
both somewhat cryptically early on (it's 0CF9091A in this case; the
1024D means that this is a 1024-bit DSA signing key; the 1024g keys
are 1024-bit ElGamal encryption keys; a 1024R would imply a 1024-bit
RSA signing key, and a 2048r would imply a 2048-bit RSA encryption
key) and is also the last eight characters of the key signature.
- Retrieve their PGP public key. (One person at the meeting tonight
printed the whole thing, ASCII-armored, for you, but typing that in
would be a bit of a pain. :^>) You can do this in several ways, in
decreasing order of irritation:
- Download the PLUG PGP keyring. You can find it here:
http://www.phillylinux.org/keys/phillylinux.gpg
Then, do this:
gpg --import phillylinux.gpg
This will add a whole bunch of public keys to your keyring. Many
of them (mine in particular) are rather out of date. So, if it's
not too much trouble to go through another couple of steps here,
that'd be appreciated.
- Retrieve it from a keyserver. I highly recommend sticking to the
subkeys.pgp.net DNS round-robbin; it's the only cluster of
keyservers that will reliably transmit subkeys.
This should work:
gpg --no-default-keyserver --keyserver subkeys.pgp.net \
--recv-key keyid
(Replace keyid with that of the key you're trying to retrieve.
0cf901a, from the example above.)
- If that doesn't work (not everyone's PGP keys are on keyservers;
there are, unfortunately, some good reasons for this; some
keyserver mangle certain types of keys), then see if you can find
the person's PGP key through something identifying about the paper
you've got. (In my case, figuring out that gr@eclipsed.net buys
you http://eclipsed.net/~gr/ is enough.)
- If none of that works, just email the person and ask them to
export their public key for you. They'll want to do something like
this:
gpg --export -a keyid > keyid.asc
keyid.asc will then be an ASCII text file which they should be
able to email to you without any trouble. Sending it to you as
an attachment would probably be easiest for you, but even with
some garbage text around the outside, saving the email as a text
file and then importing it as described for phillylinux.gpg above
should work.
- Now that you have a copy of their public key in your keyring, you
need to verify that nothing shady is going on (either in the
transmission of their key or in someone misrepresenting themselves--
which I *highly* doubt happened, based on experience). You do that
by verifying that the fingerprint of the key you've downloaded
matches that on the slip of paper you got from the real person the
key represents. Every single character needs to match here. This is
the MOST IMPORTANT STEP in keysigning.
(Verifying just the fingerprint is, mathematically, close enough to
verifying every single digit of the key itself that it equates to
the same thing. There are 2^320 possible fingerprint values and,
with the exception of a couple of implementation errors, there have
been no fingerprint collisions, nor should there be for much longer
than any of your lives.)
- There's an extra little bit of verification that you could do
here. I won't go into it in this email, but if anyone's curious,
I'll be glad to explain it. If you're less paranoid than Jeff
Abrahamson and I, you probably don't care.
- Satisfied that what you've got on your hard drive really is your
keysigning partner's key, you should sign their key. Note that this
doesn't mean that you put any inherent trust in arbitrary things
that they say, just that you are certifying that you believe that
they are who they say they are. You can do this with this command:
gpg --sign-key keyid
You will be asked if you're sure you want to sign the key, possibly
if you want to sign all userids on the key (I would encourage you to
unless the owner of the key has asked differently; signing the extra
uids is one of the things that Jeff and I are paranoid about, so if
you're worried, just ask about that), and you will need to provide
your passphrase (because the act of signing a public key is
enciphering a hash of that key with your private key).
- Publicize the fact that you've signed the key. At the very least,
you should:
- Send the signed key back to its owner. Follow the directions for
retrieving a key from its owner above, in reverse.
- Send the key to Mike Leone (turgon@mike-leone.com) so that he
can add it to the PLUG public keyring on the web page.
You can also send the key to a keyserver. As I hinted above, some
people may not want you to do this with their key, so you should
check with them first. Feel free to send my key to subkeys.pgp.net.
I'd rather you didn't send it to any other keyserver (cluster).
There are probably copies of it on other keyservers, but that
doesn't mean you should send it directly there. (Most of the
publicly available keyserver synchronize with each other, and
subkeys.pgp.net will avoid scrambling my subkeys when it sends it
out to the broken keyservers.)
If this leaves you with questions, don't hesitate to ask before
doing anything you don't understand.
Also, hey MIKE LEONE: sign me up for the rest of my PGP talk at the
first available slot. June may be taken, but that'd be fine. July
would be fine too. (Oh, could you please do me a favor and --recv-key
0cf9091a from subkeys.pgp.net and dump that over phillylinux.gpg,
won't you? There's a new uid there. There's also a new REVOKED
public subkey there. Please don't sign that one, folks. I'm pretty
sure you'd have to go pretty far out of your way to do so, but just
in case...)
--
gabriel rosenkoetter
gr@eclipsed.net
Attachment:
pgps5HhzERD4j.pgp
|
|