[apops] PGP Key Signing Party at APNIC Meeting in Taipei

  • To: apops at lists dot apnic dot net
  • Subject: [apops] PGP Key Signing Party at APNIC Meeting in Taipei
  • From: Philip Smith <pfs at cisco dot com>
  • Date: Wed, 29 Aug 2001 13:48:06 +1000
  • Sender: owner-apops@lists.apnic.net
    • Thanks to Randy Bush and Bill Manning for offering to help with this. 
      Attached is the announcement of the PGP key signing party to be held 
      tomorrow evening. I hope everyone at APNIC's conference will be able to 
      participate.
      
      philip
      --
      
      
                     APNIC 2001, Taipei, August 28-31 2001
                             PGP Keysigning Party
      
      As at most IETF meeting and other regular networking events with
      sufficient participants, we will be holding a PGP keysigning
      party at this August's APNIC Open Policy Meeting in Taipei.
      
      Quick Facts
      ============
      Key Submission
      
      Deadline     All keys must be received in the submission email
                    box by Thursday, 30th August, NOON (Taiwan Time !)
      
      Submission   pfs at cisco dot com
      email
      address
      
      Subject      PGP KEY
      
      Format       Please send your key as normal ASCII text. The keys
                    should NOT be sent as attachments or in
                    any proprietary format (like eg MS Word etc).
      
      PGP Formats  PGP 2.6 (RSA) and PGP6 (RSA and D/H)
      Supported
      
                    Note Keys sent with a different subject may not be
                    included in the party.
      
      Event details
      
      Date	       Thursday, 30 August 2001
      
      Time	       1930-2100
      
      Venue	       Room 105, Grand Hotel, Taipei
      		
      Status       BOF (Birds of a Feather ...)
                    (ie *all* are welcome, as long as your key has been received
                    on time. No APNIC etc registration required !)
      
                    Please check the APNIC Notice board
                    for any changes in Room and Time !
      
      Instructions for Participants
      ==============================
      
      1. Who should attend
      	1. All people who have a PGP key
      	The PGP Keysigning Party will enable you to obtain
      	additional signatures (among others by noted net-
      	personalities) for your PGP key.
      
      	2. All people who have just started to use PGP
      	If you just started using PGP, It is unlikely that your key
      	has been signed by (m)any other PGP users so far. To ensure
      	that your key is trusted by the majority of the PGP users
      	all over the world, you will be interested to have well-
      	known net-personalities (and other people) sign your key.
      
      	3. Those who do not have a PGP key yet
      	You will need to
      		1.   read up on PGP itself
      		2.   create your own PGP key
      	to attend the keysigning party
      
      	4. Organizations
      	Many organizations use PGP to sign official announcements
      	etc. Usually these organizations publish their PGP key on
      	the web. As additional security, you may want your key to be
      	signed by other trusted
      
      2. Preparation
      
      	- extract your public key using one of the following commands
      	(depending on your PGP version)
      		-UNIX PGP 2.6*           $ pgp -kxa <your PGP userid>
      		-UNIX PGP 5.*            $ pgpk -xa <your PGP userid>
      		-Win95 or other GUI      Use the export function to export your
      		implementation          key to a text file
      
      	For more details on the PGP commands refer to the PGP manual
      
      	- send in your PGP public key.
         	(the PUBLIC KEY!!! Never give out your PRIVATE key to
         	anyone!!) to the submission email address listed above.
         	Please do NOT send the key as an attachment or in any other
         	format but ASCII ARMORED TEXT! You could cut and paste the
         	ascii armored PGP key into the email body if necessary!
      
      	- write down (print out) your own public key's fingerprint and
      	the Key ID.
      	Under UNIX, you can obtain the key ID and fingerprint using these commands
      
      		-UNIX PGP 2.6*                  $pgp -kvc <your PGP userid>
      		-UNIX PGP 5.*                   $ pgpk -ll <your PGP userid>
      		-Win95 or other GUI             Check the Key Properties (in
      		implementation                 PGPkeys)
      
      	Here is an example of a PGP key ID and fingerprint extracted
         	under UNIX (PGP 5.0i)
         		Note This also lists the signatures on this key, but we
         		need only the first few lines (marked with **)
      
         	$ pgpk -ll philip
             Type Bits KeyID      Created    Expires    Algorithm       Use
      **    sec  1024 0xF2BCF9C1 1998-04-30 ---------- DSS             Sign & 
      Encrypt
      **    f20    Fingerprint20 = 150B E9DB 04FA BE82 63CF  70A5 9C57 083B F2BC F9C1
             sub  2048 0x67A69BE2 1998-04-30 ---------- 
      Diffie-Hellman
             f20    Fingerprint20 = F8AA D3DC D737 35C7 08C5  CE37 0FE5 14D7 67A6 
      9BE2
             uid  Philip F Smith <pfs at cisco dot com>
             SIG       0xF2BCF9C1 1998-04-30 Philip F Smith <pfs at cisco dot com>
             uid  Philip F Smith <philip at dial dot pipex dot com>
             SIG       0xF2BCF9C1 1998-04-30 Philip F Smith <pfs at cisco dot com>
             uid  Philip F Smith <philip at employees dot org>
             SIG       0xF2BCF9C1 1998-04-30 Philip F Smith <pfs at cisco dot com>
             ...
      
      3. At the APNIC meeting, before the PGP keysigning Party
         	- periodically check the noticeboard, where the list of keys
         	submitted for the PGP keysigning party will be posted after the deadline.
             Your key must be submitted by the deadline to be called during
         	the keysigning party. If you submitted your key, and it does not
         	appear on the list, please submit it again before the
         	deadline!
      
      4. At the PGP Keysigning Party itself
         	- Bring along proper PHOTO identification
            	For other participants to sign your PGP key (which is
            	the whole aim of this event), they must be able to
            	verify that the key belongs to you and that you really
            	are who you claim to be.
      
         	- if you submitted a PGP key for your organization, please
         	bring along identification which proves that you are indeed
         	representing that organization
                 letter by the president/management etc on their stationery
      	    namecard
      	    company pass etc
      
      	- obtain the list of submitted keys (this will be provided
         	as a printout at the beginning of the party).
      
         	- check that YOUR OWN public key is listed on the printout,
         	and check its PGP KEY FINGERPRINT. Check it carefully. The
         	fingerprint must match in *every* character
      
      Procedure
      =========
         	- During the party, we will one by one read out aloud each
         	PGP key submitted including the KeyID, the attached userIDs
         	(names) and the Key Fingerprint. During this the owner of
         	the key will stand up to be recognized by the crowd.
         		(We may need each key-owner to read their own Key
         		fingerprint etc, unless we manage to rustle up a suitable
         		Voice program to automatically read the keys)
      
         	- During this, each participant should
            		1.   check that the userid, name, keyid and fingerprint match
              		what is printed on your printout
      		2.   ensure that the person standing up acknowledges the key as
      			his own
      		3.   note which keys checked out ok and which ones haven't
      
      	- After all keys have been read, you are encouraged to
            		1.   verify the owners' identities by checking their supporting
              		documents (Photo ID)
      		2.   especially carefully verify the credentials for those who
      			want an organization's key signed.
      
      5. After the PGP Keysigning Party
      
         	- decide whose keys you would want to sign (using your notes
      	made during the keysigning party)
      	You should only sign keys if you have *very carefully*
      	verified the key's integrity and the owner's supporting
      	documents (passport etc). If there is any doubt as to a
      	person's identity or ownership of a key, do NOT sign
      	that person's key !!
      
         	- sign these people's keys with your own PGP PRIVATE KEY,
         	using your PGP software
      
         	- export/save the signed keys into ASCII files (see the PGP
         	manual)
      
         	- either send the signed public keys to the keys owner
         	(recommended) or to one of the public PGP keyservers.
      	It is recommended that you send the key to the owner,
      	so that they can decide themselves which signatures to
      	send to the keyservers.
      
         	- If you had presented your own key, you may want to check
         	the public pgp keyservers periodically to see whether other
         	participants have sent in new signatures for your own key.
         	If so, you may want to obtain you own public key from the
         	server and add it (actually only the additional signatures)
         	to your own keyring. If another participant has sent you
         	your key with a new signature, you will want to add the new
         	signature to your own keyring, and then send the key to the
         	public PGP keyservers.
      
      ==========
      Background
      ==========
      What is PGP?
         PGP (Pretty Good Privacy) is a standard (and a program
         implementing that standard) providing strong authentication
         and encryption for email (and other networking applications
         such as internet phone) using a public key system.
      
      Why is PGP important?
         From the PGP FAQ (http://www.at.pgp.net/pgpnet/pgp-faq/)
      
         	You should encrypt your e-mail for the same reason that you
         	don't write all of your correspondence on the back of a post
         	card. E-mail is actually far less secure than the postal
         	system. With the post office, you at least put your letter
         	inside an envelope to hide it from casual snooping. Take a
         	look at the header area of any e-mail message that you
         	receive and you will see that it has passed through a number
         	of nodes on its way to you. Every one of these nodes
         	presents the opportunity for snooping. Encryption in no way
         	should imply illegal activity. It is simply intended to keep
         	personal thoughts personal.
         Xenon <an48138 at anon dot penet dot fi> puts it like this
         	Crime? If you are not a politician, research scientist,
         	investor, CEO, lawyer, celebrity, libertarian in a
         	repressive society, investor, or person having too much fun,
         	and you do not send e-mail about your private sex life,
         	financial/political/legal/scientific plans, or gossip then
         	maybe you don't need PGP, but at least realize that privacy
         	has nothing to do with crime and is in fact what keeps the
         	world from falling apart. Besides, PGP is FUN. You never had
         	a secret decoder ring? Boo!
             		           -Xenon (Copyright 1993, Xenon)
      
      What is keysigning, and why is it important?
         Again, see the FAQ http//www.at.pgp.net/pgpnet/pgp-faq/faq-06.html
      
      What is a PGP Keysigning party?
         A PGP keysigning party is not a party in the sense of
         celebration. It is unlikely that alcohol will flow or hors
         d'oevres be passed out. As PGP uses a public key system, it
         usually is easy to obtain some person's public PGP key
         (which is required to securely converse with that person or
         to verify that person's authorship or identity). The usual
         method for this is to either ask the person directly for
         their PGP key. Another method is to request it from a public
         PGP keyserver, which is like a worldwide replicated
         directory of PGP public keys.
      
      More info?
         You can find more information on PGP at these webpages
         PGP Inc. http//www.pgp.com
         PGP.net http//www.pgp.net
         International PGP Homepage http//www.ifi.uio.no/pgp/
         There is a PGP discussion newsgroup named comp.security.pgp
         and its FAQ
            http//www.at.pgp.net/pgpnet/pgp-faq/
         There is a book on PGP published by O'Reilly & Associates
            Simson Garfinkel PGP Pretty Good Privacy
            1st Edition December 1994
            1-56592-098-8, Order Number 0988
            430 pages, $29.95
         see http//www.oreilly.com/catalog/pgp/noframes.html
      
      
      *             APOPS: Asia Pacific Operations Forum              *
      * To unsubscribe: send "unsubscribe" to apops-request at apnic dot net *