[Nolug] PGP Key Signing Info

From: Peter Kahle <pkahle_at_pobox.com>
Date: Fri, 17 May 2002 14:29:37 -0500
Message-ID: <20020517192937.GD23958@loki.kaosklan.net>

<sorry if this comes thru twice. Right now it's bouncing on
nolug@nolug.org because of a DNS problem, so I'm sending it thru the
nolug@patientcarerx.com because I think that'll work right.>

OK, for next month's keysigning, what I need from each of you is, sent
to the list, and signed with your key, the output of
gpg --fingerprint <your-key-id>

For example, for me:

pkahle@loki:~$ gpg --fingerprint 69a38ade
pub 1024D/69A38ADE 1997-08-25 Peter M Kahle Jr. <pkahle@pobox.com>
     Key fingerprint = 586E FC67 E2F7 96B7 0FA1 078E D685 D397 69A3 8ADE
sub 2048g/F90C32E9 1997-08-25

If you don't have a key, you can generate one using gpg with the command:
gpg --gen-key

Also, if your key hasn't been uploaded to the keyservers, and for whatever
reason you don't want it uploaded, you can send it directly to me. I'll
be facilitating the whole thing, and will make sure everyone gets it
right before the next meeting, and that everyone knows not to upload it
to the servers.

Then, what'll happen at the meeting is this. You should bring your
own printed copy of your PGP key fingerprint. I'll hand out lists of
everyone's fingerprints with two checkboxes next to it. Depending on the
number of people there, we'll either have each person get up and read
off their personal copy of their fingerprint, and everyone else verifies
that it matches what they see on the sheet. If it does, you check the
"Fingerprint" checkbox. Then everyone will mingle around and check ID
to verify that the name on the key actually matches the name on their
driver's license (that's usually good enough, if you want to bring more
info you can, and if anyone requires more info to sign a key, they should
let me know.) Also, version 1.0.7 of gnupg has finally implemented a
feature of the PGP/MIME standard that allows for classes of signatures,
so if anyone has a key using an alias instead of their real name, and
would like to keep it that way, I'm now willing to sign your key with
one of the classes. (there are 4 types, from within gpg they are:

How carefully have you verified the key you are about to sign actually
belongs to the person named above? If you don't know what to answer,
enter "0".

    (0) I will not answer. (default)
    (1) I have not checked at all.
    (2) I have done casual checking.
    (3) I have done very careful checking.

I'm not really sure if I'll use 1 or 2 for someone who I've met in person
and I can confirm that the person who has the key, but they don't have
their name on it. Which brings up another thing I like, but I'm not
going to force people to use. At the meeting I'll probably also provide
a space for each person to enter a "password" or shared secret for use
with each user. Then I would send a signed and encrypted message to
each user with the password I gave them (yes, it's a paperwork nightmare,
and works much better for single-person signing. I'm still torn on wether
to use it or not for signing parties. probably depends on the number of
people. And I'll probably use it for people who don't want their names
associated with their keys.)

Anyway, much longer-winded than I planned. If anybody has any questions,
let me know. Also, could folks let me know if their mail program
interprets the signature on this message correctly by default? I know
mutt does, I'm pretty sure Evolution does, but I don't know about others.

Later,
P

-- 
Those who would give up essential Liberty to purchase a little temporary 
safety, deserve neither Liberty nor safety.
					-- Ben Franklin
|| Peter M Kahle Jr              ||     PGP Public Key on Keyservers     ||
|| pkahle@pobox.com              ||   http://www.kahlilia.org/~pkahle/   || 
##===============================##======================================##

___________________
Nolug mailing list
nolug@nolug.org

Received on 05/17/02

This archive was generated by hypermail 2.2.0 : 12/19/08 EST