home | list info | list archive | date index | thread index

[OCLUG-Tech] building a web of trust -- informal key signing

On behalf of the attendees, thank you Adrian for your OCLUG tutorial on
how to use GnuPG for securing email.

For those that attended, and for those that could name the tutorial,
below is a summary on how to create your new PGP key.  Adrian and I will
hold a small "key signing party" after the general meeting next week to
place those keys into the OLCUG web of trust.

First, to create a new key follow these steps:

1) prepare the .gnupg directory

        gpg --list-key

2) create a new main key

        gpg --gen-key

   select '(2) DSA (sign only)';
   you can leave this key to never expire.

3) create a sub key that expires relatively soon

   the output of the last command will list the main key that was
   created it looks like '1024D/E5B5EC9E', you will want to copy the
   part after the slash (the key ID) and edit that key:

        gpg --edit-key E5B5EC9E

        (substitute E5B5EC9E for your key ID)

   run command 'addkey' and select '(4) Elgamal (encrypt only)';
   select between 2048 and 4096 bits, and make it expire relatively soon
   (Adrian suggested at the end of the year, which is about 120 days).

   once done run 'save'.

4) publish your key

        gpg --send-key E5B5EC9E

        (substitute E5B5EC9E for your key ID)

~~~

Next, to get your key signed by others on Tuesday, you will need to
bring the following:

 - a government published and easily identifiable picture ID (or multiple)
 - a few copies of your key fingerprint; you will need to give one of
   these to each person that you want to sign your key.  

   The best thing would be to print out the output of the following command 
   multiple times on a page and cut them into strips:

        gpg --fingerprint E5B5EC9E

        (substitute E5B5EC9E for your key ID)

   I have written a script that does just that...

        http://www.jukie.net/~bart/scripts/gpg-fpr-slips

If you chose to, or have to, do it by hand, then make sure that the
information you give the other person includes:

 - Your name (must be the same as your ID)
 - Your key ID
 - Your email address (same as the key you generated)
 - The key fingerprint

Have a look at 'gpg --fingerprint' output.

~~~

The "key signing party" is relatively simple.  You will be given a slip
of paper by each of the individuals, and will be shown their photo ID.
You will verify that the photo ID matches the name on the slip of paper.

When you go home you will retrieve their key from the internet, verify
the fingerprint and sign them.

        gpg --recv-key <their key id>
        gpg --edit-key <their key id>
          fpr

  At this point you must verify that the output of the 'fpr' command
  matches the bits you were given on the slip of paper (particularly the
  fingerprint, name and email address).  If not, say 'quit', otherwise 
  continue with...

          sign
          trust
          save
        gpg --send-key <their key id>

See you on Tuesday.

-Bart

-- 
				WebSig: http://www.jukie.net/~bart/sig/

----- End forwarded message -----

-- 
				WebSig: http://www.jukie.net/~bart/sig/

Attachment: signature.asc
Description: Digital signature