dc.sage Keysigning Sessions

One of the by-products of the monthly key signing sessions will be a list of fingerprint/userid associations , which you can use to verify the keys of a dc.sage member who was not present at a meeting. We won't add a fingerprint/userid to the list until we have received it (physically) from the person whom we believe to own the userid and name...the copies handed out at meetings will also have a contact phone number, so you can verify the fingerprint in person if you are extremely cautious. The phone numbers will not appear on the WWW pages.

What to Bring to a Key Signing Session

• Yourself, and some evidence that you truly are whom you believe to be. This can be a picture ID, or someone else at the meeting who knows you and who can vouch for your identity (only your identity). It would help if that person was known by someone else at the meeting, etc. The ID thing is usually trivial since most meetings are extremely social and amicable.
  
• Several copies (one for each potential participant) of the following information, on a hard-copy piece of paper:
  
  (1)Your full name (or the moniker you use with your E-mail).
  
  (2)Your preferred E-mail address for receiving mail.
  
  (3)A daytime phone number [optional ... but if something goes wrong, or if a previous signer can't make a meeting, this will let folks verify your fingerprint].
  (4)Your PGP key fingerprint with ALL the userids on it. If you have only one userid (E-mail address) on your public key, then you don't have to worry about this ... use the command:
  pgp -kvc
  . If you have multiple userids on the same key, you MUST display the fingerprint with the hex value of your key number, or you might miss some:
  pgp -kvc 0x''
  This is what my piece of paper looks like:

      Rob Jenson
      robjen@access.digex.net
      (301) 555-1212
  
      Type bits/keyID    Date       User ID
      pub  1717/E7A75FC9 1995/10/25 Rob Jenson 
            Key fingerprint =  D8 4E 05 2D 98 1B D5 79  D1 27 AB A3 93 E5 75 25 
                                Rob Jenson 
                                Rob Jenson 
  

  You can probably make all of it fit on the back of your business card. You can also put your picture on it if you really want to be kludgey.

  
  
• If your PGP public key is not available from the MIT PGP keyserver ( http://www-swiss.ai.mit.edu/~bal/pks-toplev.html), you will have to bring your actual key on a floppy disk ( DOS, Win95, or SunOS format please), or you can E-mail (ASCII-armored) it to me You should extract your public key into a file, then send it to me in a message that is encrypted with my public key.
• Please be sure that your PGP key is self-signed ... otherwise, it is invalid (or technically ... it is vulnerable to attack, so we don't want to deal with it). The correct way to generate your own key is to execute the following commands, in rapid succession:

  
      pgp -kg                                 # generate your new key
      pgp -ks  -u   # sign it
  
  

  You can view all the signatures on your public key with the command:
  pgp -kvv

How the Keysigning will Go

This is how the keysigning will go (for those who care to participate):

(1) Each participant, in turn, hands out a copy of their information
   to all other participants, the facilitator, and the
   alternate facilitator.

(2) Each participant, in turn, reads out their fingerprint and E-mail
   addresses, and verbally attests that the information pertains to
   him/her, and that they are willing to sign the public keys for
   everyone else.  Showing a picture ID, or getting another
   participant who has already been identified to vouch for you is
   good, unless everyone knows you.  If anyone isn't sure about the
   identity of a participant, this is a good time to ask.

(3) The facilitator's alternate will read out his/her fingerprint and
    E-mail address, etc.

(4) The facilitator will read out his/her fingerprint and E-mail
    address, etc.  [ We are assuming that the facilitator and
    alternate are known to the group, and their public keys are easily
    available to everyone (i.e., on the public keyserver, or by
    finger, etc).

(5) The facilitator will take all the information home, obtain the
    keys, verify the fingerprints against the keys, and sign all the
    keys.

(6) The alternate will also take all the information home, obtain the
    keys, verify the fingerprints against the keys, and sign all the
    keys.

(7) The facilitator will send a copy of the keyring containing all
    participants' keys, signed by him/herself and the alternate, to
    each participant.  The entire keyring will be sent in a signed and
    encrypted package for the recipient (for practice).

(8) Each participant will verify each key on the keyring, sign it, and
    send the signed key to the facilitator and the owner of that key.

(9) The facilitator will send out (an) updated copy(s) of the keyring
    containing all the signed keys to the participants, and update the
    dc.sage keyring (available from the web pages).

(10) Each participant can decide how many of the signatures to keep on
    their "casual" public key, and their "dress" public key.  Me
    personally, I'm collecting signatures until my "dress" public key gets
    ridiculously long (and so I'll have to create a "casual" key).
    YMMV.

Return to the SAGE home page.

---

Author: Rob Jenson
Last Revised: $Date: 1997/01/23 14:40:57 $ $Revision: 1.3 $
dc.sage gratefully acknowledges the sponsorship of Heller Information Services for this and other Internet services.
This document is © copyright 1996 dc.sage. All Rights to use of and reproduction of the content is granted freely to all members of dc.sage. All other rights reserved.
These pages maintained by: The dc.sage Web Folks.