PGP Keysigningsane2004

PGP Keysigning

Because of the great success of the PGP keysigning non-parties during the previous SANE conferences, we continue this tradition. A PGP keysigning non-party aims to achieve a similar goal in an entirely different way as the so called "PGP keysigning party".

Recent versions of PGP (and GPG) contain facilities for encrypting disks and for setting up Virtual Private Networks. Most people, however, know Pretty Good Privacy mainly as the de-facto standard for communicating confidentially across the open Internet. Good manuals for PGP are included with the source code distributions. An excellent starting point for finding what's going on is www.gnupg.org

The traditional purpose of a so called PGP keysigning party is to establish the ownership of PGP keys. When you meet someone in person, and he shows you his passport and he confirms that some PGP key is his, this allows you to `sign' that key. Other users of PGP, who were not present during this event may decide to rely on your identification. For this reason conferences where many people from different countries meet are good places to extend the Web of Trust.
In the traditional keysigning party, all people get together in a room to see each other confirming their keys and passports. The growth of SANE starts making this rather impractical.

We want to avoid the time consuming hassle of verifying passports and PGP fingerprints by introducing the services of two Trusted Third Parties, being Teun Nijssen of Tilburg University and the NLUUG. Teun Nijssen runs the SURFnet Policy Certification Authority (see http://pki.surfnet.nl/) and the SURFnet keyserver. He also is a member of SURFnet's Computer Emergency Response Team CERT-NL, and he played a role in making available PGP source code outside the USA by involvement in the source code book scanning effort.
Teun will run a so called PGP key signing non-party during SANE.

Here are the rules of the game:

Any delegate who wishes to have his personal key signed by others, should bring on paper a printout (see below) of his PGP/GPG key. The key needs to be self-signed and your true name that appears in your passport has to be in the user-id; mail-addresses are advised but not obligatory. Mickey Mouse type aliases are rejected. Modern PGP/GPG keys using DSS/DH are accepted as well as old RSA/MD5 keys. The minimum length of a key is 1022 bits.
To make the printout of your key, please point your WWW browser at http://pki.surfnet.nl/extract.html and `extract' the key with `verbose index' and `show fingerprints' selected. (If you didn't ever do so before, first `submit' your key to the server).
An example of the intended format is the page: http://minsky.surfnet.nl:11371/pks/lookup?op=vindex&search=Teun.Nijssen&fingerprint=on
If you have multiple keys, or if a key has multiple user-ids (e-mail adresses), clearly mark which user-id is to be signed.
On the page please write one of the following sentences:
- please sign this key by as many conference attendees as possible
- please sign this key only by Teun
- please sign this key only by the NLUUG
- please sign this key only by Teun and the NLUUG
Optionally, write also the following sentence:
- I prefer signers to use PGP 2.6 and traditional-style RSA keys
Hand over the piece of paper to Teun. He will be introduced to the conference early on Thursday and he will be around in the the registration area, but during the rest of the conference is also fine. Bring your passport for identification and offer a beer if you bring the paper after 5 PM (any timezone allowed).
Keys that are accepted by Teun (length and name correct; paper format correct; passport with photo checked) will be retrieved and signed by him after the conference. By default Teun will use the following key for the signature. Note that this key bears a so called 'trusted introducer signature' by Phil Zimmermann, the author of PGP.
```
Type bits/keyID    Date       User ID                                          
pub  1024/66A74B31 1998/11/01 Teun Nijssen <teun.nijssen@kub.nl>
Key fingerprint  B4 1E 25 DA A7 54 B8 A8  C3 0C D8 20 D7 8C BC E5  66
A7 4B 31
```
Accepted keys from people who explicitely request an PGP 2.6 signature with an RSA key will be signed by this key:
```
Type bits/keyID    Date       User ID                                          
pub  1024/0679ED91 1993/02/02 teun.nijssen@kub.nl                              
Key fingerprint =  61 C5 B0 E5 D9 0B 5A 33  09 E4 52 EC CD EA 6F 2D
```
All keys signed by Teun will be submitted back to the keyservers.

In addition, the keys of those people who asked for signatures from as many delegates as possible will be made available as a downloadable keyring on the Web. If people feel confident that the identification process described above is as careful or better as the traditional keysigning party, they are in this way able to put their signatures on the keys already signed by the Trusted Third Party.

Hope to see you in Amsterdam,

Teun Nijssen

[Teun happy with water after climbing from a
tropical valley]

Last modified: Wed, 18 Aug 2004 17:02:53 +0200