Dear delegates to SANE 2000,

In previous SANE conferences a so called PGP key signing party was organized. This year SANE aims to achieve a similar goal in an entirely different way.

Recent versions of PGP contain facilities for encrypting disks and for setting up Virtual Private Networks. Most people however know Pretty Good Privacy mainly as the de-facto standard for communicating confidentially across the open Internet. Good manuals for PGP are included with the source code distributions. An excellent starting point for finding what's going on is www.pgpi.com

The traditional purpose of a so called PGP key signing party is to establish the ownership of PGP keys. When you meet someone in person, and he shows you his passport and he confirms that some PGP key is his, this allows you to `sign' that key. Other users of PGP, who were not present during this event may decide to rely on your identification. For this reason conferences were many people from different countries meet are good places to extend the Web of Trust.
In the traditional keysigning party, all people get together in a room to see each other confirming their keys and passports. The growth of SANE starts making this rather impractical.

We want to avoid the time consuming hassle of verifying passports and PGP fingerprints by introducing the services of a Trusted Third Party, being Teun Nijssen of Tilburg University. Teun Nijssen runs the SURFnet Policy Certification Authority (see http://pki.surfnet.nl/) and the SURFnet keyserver. He also is a member of SURFnet's Computer Emergency Response Team CERT-NL, and he played a role in making available PGP source code outside the USA by involvement in the source code book scanning effort.
Teun will run a so called PGP key signing non-party during SANE.

Here are the rules of the game:

• Any delegate who wishes to have his personal key signed by others, should bring on paper a printout (see below) of his PGP key. The key needs to be self-signed and your true name that appears in your passport has to be in the user-id; mail-addresses are advised but not obligatory. Mickey Mouse type aliases are rejected. Modern PGP keys using DSS/DH are accepted as well as old RSA/MD5 keys. The minimum length of a key is 1022 bits.

  To make the printout of your key, please point your WWW browser at http://pki.surfnet.nl/extract.html and `extract' the key with `verbose index' and `show fingerprints' selected. (If you didn't ever do so before, first `submit' your key to the server).

  An example of the intended format is the page: http://horowitz.surfnet.nl:11371/pks/lookup?op=vindex&search=Teun.Nijssen&fingerprint=on

  If you have multiple keys, or if a key has multiple user-ids (email adresses), clearly mark which user-id is to be signed.

• On the page please write one of the following sentences:
  • please sign this key by as many conference attendees as possible
  • please sign this key only by Teun

• Hand over the piece of paper to Teun. He will be introduced to the conference early on Wednesday and he will be around in the the registration area, but during the rest of the conference is also fine. Bring your passport for identification and offer a beer if you bring the paper after 5 PM (any timezone allowed).

• Keys that are accepted by Teun (length and name correct; paper format correct; passport with photo checked) will be retrieved and signed by him after the conference. Teun will use the following key for the signature. Note that this key bears a so called `trusted introducer signature' by Phil Zimmermann, the author of PGP.

     pub  1024/66A74B31 1998/11/01 Teun Nijssen <teun.nijssen@kub.nl>
     Key fingerprint  B4 1E 25 DA A7 54 B8 A8  C3 0C D8 20 D7 8C BC E5  66 A7 4B 31
  

  All keys signed by Teun will be submitted back to the keyservers.

In addition, the keys of those people who asked for signatures from as many delegates as possible will be made available as a downloadable keyring on the Web. If people feel confident that the identification process described above is as careful or better as the traditional keysigning party, they are in this way able to put their signatures on the keys already signed by the Trusted Third Party.

Hope to see you in Maastricht,

Teun Nijssen