Keysigning in Buenos Aires

View the Project on GitHub oerdnj/dns-oarc-keysigning

Where?

As part of the DNS-OARC 24 and IETF 95 Conference in Buenos Aires, Argentina there will be OpenPGP (pgp/gpg) keysignings.

When?

Ondřej Surý will announce the time and venue of a discussion/information session about the keysigning during DNS-OARC 24 (and IETF) in particular and modern cryptography in general. It will be followed by a number of keysignings of small groups of people.

What is keysigning and why do it

A keysigning party or meeting is a get-together of at least two individuals who use the PGP encryption system with the purpose of allowing them to sign each others keys. Keysigning parties serve to extend the web of trust (WoT) to a great degree. A useful metric of the WoT is the mean shortest distance (MSD) of a key.

Please read chapters one and two of the GnuPG Keysigning Party HOWTO (note: we are doing the party differently, so the other chapters do not apply completely).

IMPORTANT: The keysigning party aims to verify that the person matches the key, so it doesn't make sense to validate various organizational keys. Thereby I am going to reject any non-personal keys (f.e. something like "DNS-OARC Key").

Don't you have a strong key yet?

We should be moving to GPG keys with stronger ones using SHA256 or better. Please read f.e.:

https://lists.debian.org/debian-devel-announce/2010/09/msg00003.html

The process to create a new key is documented at http://keyring.debian.org/creating-key.html.

If you plan to migrate your WoT, you should read "HOWTO prep for migration off of SHA-1 in OpenPGP" at https://www.debian-administration.org/users/dkg/weblog/48 by dkg.

You are also welcome to submit a second key using Ed25519 algorithm, read f.e.: http://www.gniibe.org/memo/software/gpg/keygen-25519.html

You will need at least GnuPG version 2.1.0 to have Ed25519 support, and it's often found as gpg2 command on various Linux distributions. You can check your GnuPG version using --version argument:

$ gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ gpg1 --version
gpg (GnuPG) 1.4.20
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Check your key and fix any problem with your key

Please read the document "OpenPGP Best Practices" by dkg which is available at https://help.riseup.net/en/security/message-security/openpgp/best-practices. Its OpenPGP key checks have been implemented by Clint Adams (clint) in the Debian package hopenpgp-tools and dkg's recommended settings has been put together in a gpg.conf file by Jacob Appelbaum (error). Please check your key with clint's hokey lint command and use error's gpg.conf file as explained in dkg's document.

How will the keysigning happen?

The keysignings will be based on the Efficient Group Key Signing Method by Len Sassaman and Phil Zimmermann which is a protocol to do keysignings in a way that is faster than the way many people may be familiar with.

The keysigning steps follow.

Please use caff to sign keys, one of the scripts of pgp-tools. The scripts are also available as the debian package signing-party.

Downloads

Summary

What to bring with you

Questions

If you have questions please send them to [email protected].

Thanks

Special thanks goes to Benjamin Mako Hill who provided the scripts and text used at DebConf4, Peter Palfrader who provided the scripts and text used at DebConf3 and LinuxTag (2003 and 2004) whose reuse made putting together this keysigning easy and possible, and Daniel Kahn Gillmor and Anibal Monsalve Salazar for doing this at DebConf15.