[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[apops] PGP Key Signing Party at APNIC Meeting in Taipei
Thanks to Randy Bush and Bill Manning for offering to help with this.
Attached is the announcement of the PGP key signing party to be held
tomorrow evening. I hope everyone at APNIC's conference will be able to
participate.
philip
--
APNIC 2001, Taipei, August 28-31 2001
PGP Keysigning Party
As at most IETF meeting and other regular networking events with
sufficient participants, we will be holding a PGP keysigning
party at this August's APNIC Open Policy Meeting in Taipei.
Quick Facts
============
Key Submission
Deadline All keys must be received in the submission email
box by Thursday, 30th August, NOON (Taiwan Time !)
Submission pfs@cisco.com
email
address
Subject PGP KEY
Format Please send your key as normal ASCII text. The keys
should NOT be sent as attachments or in
any proprietary format (like eg MS Word etc).
PGP Formats PGP 2.6 (RSA) and PGP6 (RSA and D/H)
Supported
Note Keys sent with a different subject may not be
included in the party.
Event details
Date Thursday, 30 August 2001
Time 1930-2100
Venue Room 105, Grand Hotel, Taipei
Status BOF (Birds of a Feather ...)
(ie *all* are welcome, as long as your key has been received
on time. No APNIC etc registration required !)
Please check the APNIC Notice board
for any changes in Room and Time !
Instructions for Participants
==============================
1. Who should attend
1. All people who have a PGP key
The PGP Keysigning Party will enable you to obtain
additional signatures (among others by noted net-
personalities) for your PGP key.
2. All people who have just started to use PGP
If you just started using PGP, It is unlikely that your key
has been signed by (m)any other PGP users so far. To ensure
that your key is trusted by the majority of the PGP users
all over the world, you will be interested to have well-
known net-personalities (and other people) sign your key.
3. Those who do not have a PGP key yet
You will need to
1. read up on PGP itself
2. create your own PGP key
to attend the keysigning party
4. Organizations
Many organizations use PGP to sign official announcements
etc. Usually these organizations publish their PGP key on
the web. As additional security, you may want your key to be
signed by other trusted
2. Preparation
- extract your public key using one of the following commands
(depending on your PGP version)
-UNIX PGP 2.6* $ pgp -kxa <your PGP userid>
-UNIX PGP 5.* $ pgpk -xa <your PGP userid>
-Win95 or other GUI Use the export function to export your
implementation key to a text file
For more details on the PGP commands refer to the PGP manual
- send in your PGP public key.
(the PUBLIC KEY!!! Never give out your PRIVATE key to
anyone!!) to the submission email address listed above.
Please do NOT send the key as an attachment or in any other
format but ASCII ARMORED TEXT! You could cut and paste the
ascii armored PGP key into the email body if necessary!
- write down (print out) your own public key's fingerprint and
the Key ID.
Under UNIX, you can obtain the key ID and fingerprint using these commands
-UNIX PGP 2.6* $pgp -kvc <your PGP userid>
-UNIX PGP 5.* $ pgpk -ll <your PGP userid>
-Win95 or other GUI Check the Key Properties (in
implementation PGPkeys)
Here is an example of a PGP key ID and fingerprint extracted
under UNIX (PGP 5.0i)
Note This also lists the signatures on this key, but we
need only the first few lines (marked with **)
$ pgpk -ll philip
Type Bits KeyID Created Expires Algorithm Use
** sec 1024 0xF2BCF9C1 1998-04-30 ---------- DSS Sign &
Encrypt
** f20 Fingerprint20 = 150B E9DB 04FA BE82 63CF 70A5 9C57 083B F2BC F9C1
sub 2048 0x67A69BE2 1998-04-30 ----------
Diffie-Hellman
f20 Fingerprint20 = F8AA D3DC D737 35C7 08C5 CE37 0FE5 14D7 67A6
9BE2
uid Philip F Smith <pfs@cisco.com>
SIG 0xF2BCF9C1 1998-04-30 Philip F Smith <pfs@cisco.com>
uid Philip F Smith <philip@dial.pipex.com>
SIG 0xF2BCF9C1 1998-04-30 Philip F Smith <pfs@cisco.com>
uid Philip F Smith <philip@employees.org>
SIG 0xF2BCF9C1 1998-04-30 Philip F Smith <pfs@cisco.com>
...
3. At the APNIC meeting, before the PGP keysigning Party
- periodically check the noticeboard, where the list of keys
submitted for the PGP keysigning party will be posted after the deadline.
Your key must be submitted by the deadline to be called during
the keysigning party. If you submitted your key, and it does not
appear on the list, please submit it again before the
deadline!
4. At the PGP Keysigning Party itself
- Bring along proper PHOTO identification
For other participants to sign your PGP key (which is
the whole aim of this event), they must be able to
verify that the key belongs to you and that you really
are who you claim to be.
- if you submitted a PGP key for your organization, please
bring along identification which proves that you are indeed
representing that organization
· letter by the president/management etc on their stationery
· namecard
· company pass etc
- obtain the list of submitted keys (this will be provided
as a printout at the beginning of the party).
- check that YOUR OWN public key is listed on the printout,
and check its PGP KEY FINGERPRINT. Check it carefully. The
fingerprint must match in *every* character
Procedure
=========
- During the party, we will one by one read out aloud each
PGP key submitted including the KeyID, the attached userIDs
(names) and the Key Fingerprint. During this the owner of
the key will stand up to be recognized by the crowd.
(We may need each key-owner to read their own Key
fingerprint etc, unless we manage to rustle up a suitable
Voice program to automatically read the keys)
- During this, each participant should
1. check that the userid, name, keyid and fingerprint match
what is printed on your printout
2. ensure that the person standing up acknowledges the key as
his own
3. note which keys checked out ok and which ones haven't
- After all keys have been read, you are encouraged to
1. verify the owners' identities by checking their supporting
documents (Photo ID)
2. especially carefully verify the credentials for those who
want an organization's key signed.
5. After the PGP Keysigning Party
- decide whose keys you would want to sign (using your notes
made during the keysigning party)
You should only sign keys if you have *very carefully*
verified the key's integrity and the owner's supporting
documents (passport etc). If there is any doubt as to a
person's identity or ownership of a key, do NOT sign
that person's key !!
- sign these people's keys with your own PGP PRIVATE KEY,
using your PGP software
- export/save the signed keys into ASCII files (see the PGP
manual)
- either send the signed public keys to the keys owner
(recommended) or to one of the public PGP keyservers.
It is recommended that you send the key to the owner,
so that they can decide themselves which signatures to
send to the keyservers.
- If you had presented your own key, you may want to check
the public pgp keyservers periodically to see whether other
participants have sent in new signatures for your own key.
If so, you may want to obtain you own public key from the
server and add it (actually only the additional signatures)
to your own keyring. If another participant has sent you
your key with a new signature, you will want to add the new
signature to your own keyring, and then send the key to the
public PGP keyservers.
==========
Background
==========
What is PGP?
PGP (Pretty Good Privacy) is a standard (and a program
implementing that standard) providing strong authentication
and encryption for email (and other networking applications
such as internet phone) using a public key system.
Why is PGP important?
From the PGP FAQ (http://www.at.pgp.net/pgpnet/pgp-faq/)
You should encrypt your e-mail for the same reason that you
don't write all of your correspondence on the back of a post
card. E-mail is actually far less secure than the postal
system. With the post office, you at least put your letter
inside an envelope to hide it from casual snooping. Take a
look at the header area of any e-mail message that you
receive and you will see that it has passed through a number
of nodes on its way to you. Every one of these nodes
presents the opportunity for snooping. Encryption in no way
should imply illegal activity. It is simply intended to keep
personal thoughts personal.
Xenon <an48138@anon.penet.fi> puts it like this
Crime? If you are not a politician, research scientist,
investor, CEO, lawyer, celebrity, libertarian in a
repressive society, investor, or person having too much fun,
and you do not send e-mail about your private sex life,
financial/political/legal/scientific plans, or gossip then
maybe you don't need PGP, but at least realize that privacy
has nothing to do with crime and is in fact what keeps the
world from falling apart. Besides, PGP is FUN. You never had
a secret decoder ring? Boo!
-Xenon (Copyright 1993, Xenon)
What is keysigning, and why is it important?
Again, see the FAQ http//www.at.pgp.net/pgpnet/pgp-faq/faq-06.html
What is a PGP Keysigning party?
A PGP keysigning party is not a party in the sense of
celebration. It is unlikely that alcohol will flow or hors
d'oevres be passed out. As PGP uses a public key system, it
usually is easy to obtain some person's public PGP key
(which is required to securely converse with that person or
to verify that person's authorship or identity). The usual
method for this is to either ask the person directly for
their PGP key. Another method is to request it from a public
PGP keyserver, which is like a worldwide replicated
directory of PGP public keys.
More info?
You can find more information on PGP at these webpages
PGP Inc. http//www.pgp.com
PGP.net http//www.pgp.net
International PGP Homepage http//www.ifi.uio.no/pgp/
There is a PGP discussion newsgroup named comp.security.pgp
and its FAQ
http//www.at.pgp.net/pgpnet/pgp-faq/
There is a book on PGP published by O'Reilly & Associates
Simson Garfinkel PGP Pretty Good Privacy
1st Edition December 1994
1-56592-098-8, Order Number 0988
430 pages, $29.95
see http//www.oreilly.com/catalog/pgp/noframes.html
* APOPS: Asia Pacific Operations Forum *
* To unsubscribe: send "unsubscribe" to apops-request@apnic.net *
