[Nolug] PGP Key Signing

From: Peter Kahle <pkahle_at_pobox.com>
Date: Fri, 17 May 2002 10:12:16 -0500
Message-ID: <20020517151216.GB23958@loki.kaosklan.net>

OK, for next month's keysigning, what I need from each of you is, sent
to the list, and signed with your key, the output of
gpg --fingerprint <your-key-id>

For example, for me:

pkahle@loki:~$ gpg --fingerprint 69a38ade
pub 1024D/69A38ADE 1997-08-25 Peter M Kahle Jr. <pkahle@pobox.com>
     Key fingerprint = 586E FC67 E2F7 96B7 0FA1 078E D685 D397 69A3 8ADE
sub 2048g/F90C32E9 1997-08-25

If you don't have a key, you can generate one using gpg with the
command:
gpg --gen-key

Also, if your key hasn't been uploaded to the keyservers, and for
whatever reason you don't want it uploaded, you can send it directly to
me. I'll be facilitating the whole thing, and will make sure everyone
gets it right before the next meeting, and that everyone knows not to
upload it to the servers.

Then, what'll happen at the meeting is this. You should bring your own
printed copy of your PGP key fingerprint. I'll hand out lists of
everyone's fingerprints with two checkboxes next to it. Depending on the
number of people there, we'll either have each person get up and read
off their personal copy of their fingerprint, and everyone else verifies
that it matches what they see on the sheet. If it does, you check the
"Fingerprint" checkbox. Then everyone will mingle around and check ID to
verify that the name on the key actually matches the name on their
driver's license (that's usually good enough, if you want to bring more
info you can, and if anyone requires more info to sign a key, they
should let me know.) Also, version 1.0.7 of gnupg has finally
implemented a feature of the PGP/MIME standard that allows for classes
of signatures, so if anyone has a key using an alias instead of their
real name, and would like to keep it that way, I'm now willing to sign
your key with one of the classes. (there are 4 types, from within gpg
they are:
How carefully have you verified the key you are about to sign actually
belongs to the person named above? If you don't know what to answer,
enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.
   
I'm not really sure if I'll use 1 or 2 for someone who I've met in
person and I can confirm that the person who has the key, but they don't
have their name on it.

Which brings up another thing I like, but I'm not going to force people
to use. At the meeting I'll probably also provide a space for each
person to enter a "password" or shared secret for use with each user.
Then I would send a signed and encrypted message to each user with the
password I gave them (yes, it's a paperwork nightmare, and works much
better for single-person signing. I'm still torn on wether to use it or
not for signing parties. probably depends on the number of people. And
I'll probably use it for people who don't want their names associated
with their keys.)

Anyway, much longer-winded than I planned. If anybody has any questions,
let me know. Also, could folks let me know if their mail program
interprets the signature on this message correctly by default? I know
mutt does, I'm pretty sure Evolution does, but I don't know about
others.

Later,
P

-- 
Those who would give up essential Liberty to purchase a little temporary 
safety, deserve neither Liberty nor safety.
					-- Ben Franklin
|| Peter M Kahle Jr              ||     PGP Public Key on Keyservers     ||
|| pkahle@pobox.com              ||   http://www.kahlilia.org/~pkahle/   || 
##===============================##======================================##

___________________
Nolug mailing list
nolug@nolug.org

Received on 05/18/02

This archive was generated by hypermail 2.2.0 : 12/19/08 EST