| Eric J. Roode on 3 Feb 2005 15:45:26 -0000 |
|
This message is for those who participated in the GPG keysigning last night. I'm sending it to the whole list because there are at least a couple of participants whose email addresses I didn't get. Everyone else may ignore this message. To participants: I hope you had fun and got the chance to meet some new people -- I know I did! The instructions that follow are long, but don't let that daunt you -- I tend to be verbose, and I want to explain each step in detail. Okay, you all now have a bunch of slips of paper with other people's fingerprints and email addresses. And hopefully you have verified each person's identity, so you're confident that nobody's pulling a fast one. :-) The next step is for you to download everyone's key from the PLUG website: http://www.phillylinux.org/keys/phillylinux.gpg You'll probably want to keep this in a separate file from your own keyring -- unless you really want to import the key of every PLUG member, past and present, who has added their key to the keyring! Next, for each person whose key you wish to sign, list that person's fingerprint, and verify that it matches the fingerprint that was handed to you by that person last night. THIS IS THE MOST IMPORTANT STEP! The most vulnerable point in public-key encryption systems (such as GPG) is the electronic transmission of the public keys. Don't trust what you download from anywhere or receive in an email; trust the paper that was given to you. To list a key's fingerprints, use the following command (assuming you're using GPG. (If you're using PGP, consult your documentation, because there are several variants of that program). In place of "WHO", use some portion of any one of the user's names or email addresses, or use the hexadecimal key id, like 0x1E4CD1E8. gpg --no-default-keyring --keyring ./phillylinux.gpg --fingerprint WHO For example, for historical reasons, I'm usually known as "sdn" online. To display the fingerprint of the key that you downloaded which purports to be my key, do this: gpg --no-default-keyring --keyring ./phillylinux.gpg --fingerprint sdn If the fingerprint matches, congratulations -- the odds that you downloaded a fraudulent key are 1 in 2^128 :-) If it doesn't, we have a problem, and you should contact the PLUG list so we can see what's going on. Now for the first optional step. You now know that you hold the key that is associated with the person whose identity you verified last night. What you don't know for certain is that that person actually is associated with the email addresses that is claimed by the key's IDs. (Nothing stops me from claiming to be bgates@microsoft.com, for example). It's unlikely that someone would put a fake email address on their gpg key (what would be the point?) but it is possible, so you may verify the email addresses as follows: Send a message to each of the key's email addresses. The message you send should be encrypted (so it can only be decrypted with that key), and it should contain some random phrase, word, or question. Nothing elaborate; you just need to verify that the recipient can decrypt the message. Something like "Hi, nice to meet you at the keysigning. Please send me an encrypted reply that contains the word POTATOES, and I'll reply with your signed key. Thanks!" When you get the proper reply, you're ready to sign. To do the actual signing, take the following steps. Enter the command gpg --no-default-keyring --keyring ./phillylinux.gpg --edit-key WHO Again, replace "WHO" with the identifier of the key you're signing. The above command puts you in the "key editor", and lists the user IDs for that key. Each one is numbered. For each key that you want to sign, type its number and hit enter. An asterisk will be toggled next to each number that you select. Then type "sign" and hit enter. You'll be prompted for your private key's password, since you're performing a signing operation. Then type "quit" to exit. Finally, export the key to a text file so you can mail it back to its owner: gpg --no-default-keyring --keyring ./phillylinux.gpg --armor --export WHO >WHO.key (the above is one command-line, sorry for the wrapping) Here's the other optional step. Now that you know that you have the person's genuine public key, you may want to import it to your own personal keyring. If so, this is the command: gpg --import WHO.key where "WHO.key" is the file you created in the previous step. Now mail the key file to the owner at any one of the various email addresses you verified. Also, please email it to me (at any of my addresses, but I'd prefer the gmail.com one), so I can add it to the master copy of the PLUG keyring. You should (of course) send the email message signed and encrypted, since you now have established secure two-way communications! And finally, thanks for participating! ======================================================================== Eric J. Roode eroode@transcontinentaldirect.com Unix/Perl Developer, Transcontinental Direct +1 (215) 965-1518 $_ = reverse sort $ / . r , qw p ekca lre uJ reh ts p , map $ _ . $ " , qw e p h tona e and print Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|