Keysigning

From HacDC Wiki
Jump to: navigation, search

This page is a resource for keysigning parties @ HacDC.

Upcoming Parties

Friday, November 13th @ 7:30PM

Past Parties

September 10th, 2009

  • We had about 20 folks and about 10 of whom were productively keysigning.


Intro to KeySigning

  • You have a private key and a public key, which you generate (your keypair).
    • gpg --gen-key
  • People use your public key to send you encrypted messages that only you can open via the magic of crypto!
    • gpg --output doc.gpg --encrypt --recipient obscurite@hacdc.org doc
  • You decrypt these messages with your private key, which only you have access to.
    • gpg --output doc --decrypt doc.gpg
  • But first, you must share your public key, either directly or by uploading it to a keyserver.
    • gpg --keyserver pgp.mit.edu --send-keys D34DB33F
  • If it's on a keyserver, they must download it from the keyserver.
    • gpg --keyserver pgp.mit.edu --recv-key D34DB33F
  • If it was a file (called obscurite.gpg for example), they can import it manually.
    • gpg --import obscurite.gpg
  • Now they can sign the key and send the key back to the keyserver.
    • gpg --sign-key D34DB33F
  • But before anyone signs anyone elses key they have to make sure that person actually owns that key (checking physical ID).
    • Minimum recommendation is state photo ID + secondary photo ID (school, employer)
  • You can see who has signed someone's public key. If their key has been signed by someone in your web of trust, then that person is in your web of trust as well.
    • gpg --list-sigs D34DB33f
  • Don't forget to generate a revokation certificate for your public key in case you lose your passphrase or your key is compromised!
    • gpg --gen-revoke


DETAILS

  • Obscurite generally uses the pgp.mit.edu keyserver, but keyserver.ubuntu.com is well liked and they do sync regularly, so it doesn't especially matter which one you use, except that pgp.mit.edu has a nice web search interface.
  • I will pass around copies of signatures so you can check people off as you confirm their identity
  • I recommend using a valid state photo ID as a minimum validation. It is up to your personal "keysigning policy."

Links