Keysigning-Party

From SHA2017 Wiki
Jump to: navigation, search

The Keysigning party at SHA2017 will be a classic Sassaman-Efficient based keysigning party with some SHAdaptions, provided that at least 20 people show up. If not, we'll fall back to exchanging keyslips.

Pre-signups are closed! However, please bring your own keyslip, as we still love to sign your keys. It just won't be that efficient :)

The SHAdaptions mainly consist of:

  • Replacing the checksums with a SHA256 one
  • Adding badges for easily verifying keys visually, and showing your signing policy

For a complete protocol, please see below at the Protocol section

Additionally, everyone is encouraged to bring keyslips anyway, so people who have not been able to prepare, can sign and have their key signed, but in a less efficient manner.

What?

At a keysigning party, we sign eachothers PGP/GPG keys, to improve the web of trust. Also, please read https://wiki.debian.org/Keysigning

Pre-registration

Name KeyID (0xlong) Sent key to keysigning@sha2017.org
User:WebSpider 0x37A169A51AC33EA2 Yes
User:Piet0r 0xD43B003FB3684634 ACK
User:Atluxity 0xA87A3C11E1F73953 yes
User:-hp197 0xAC082B028971394C yez
User:sprawl 0x1FDD301FB636D58B
0xAE8DA3E6A86CD3C0
done
User:malan 0x84e614e61e13dac3 Not yet
User:LaKoon 0x3280EC393A363153 (RSA)
0x593C2E2F7F98F97D (ECC)
Yes
User:F 0xA7A6F879006DF9EB Yes
User:DigitalBrains 0xAC46EFE6DE500B3E Yes
User:B0b 0x5DC466D89EF3884C Yes
User:g5pw 0xE140E1EEA54EE677 Yes
User:Xesxen 0x6001AAE97C319893 Done
User:Andy 0x0CAFC463F721D5BF
0xE9988FAC60C89A41
0xF11D74D8A5F33D1C
Yes

But I was there too!

Name KeyID (0xlong) E-mail (in case of signing trouble)
User:WebSpider 0x37A169A51AC33EA2 nils@familievogels.nl

Protocol

The SHAdapted Sassaman-Efficient protocol goes as follows:

Before The Event

  1. (DONE) All participants email their public key to the keysigning coordinator, diligently reading e-mails addressed to keysigning@sha2017.org
  2. (DONE) The coordinator compiles all the submitted keys into an event keyring.
  3. (DONE) The coordinator generates a text file containing a list of all keys and their fingerprints, and calculates the SHA256 checksum of the list.
  4. (DONE) The coordinator publishes the text file either by emailing it to all participants or making it accessible on a website along with all the checksums.

You may find the keyring, file and checksums at http://familievogels.nl/sha2017-ksp/ (Unfortunately I have had some issues with getting a sha2017.org website up and running, so that's why I'm publishing this late on a random domainname)

  1. Participants download the text file and calculate the checksums of the list, and check them against the checksums provided by the coordinator. If the checksums match it shows that the participant has an identical and unmodified copy of the key list.
  2. Participants print out a hard copy of the key list and check the fingerprint of their own key included in the list is correct.

At The Event

  1. All participants bring along their own hard copy of the key list which they printed themselves. Participants should only trust the key list they printed themselves from the file with verified checksums. This ensures each participant is working from a list they know has not been tampered with.
  2. The event organiser reads out the checksums or displays them on a projector for all participants to compare with their own.
  3. Each participant in turn makes a statement that their fingerprint as included in the list is correct. This can be as simple as saying 'key XXXXX is correct'. There is no need to read the fingerprint aloud: since the lists have been checksummed, the fingerprint that appears on all lists must be the same. Participants put a tick on their copy of the list next to each key that is stated by the owner to be correct, and put a tick in their keysigning-badge.
  4. Once all participants have stated whether their fingerprint is correct, everyone forms a long line in the same order as their keys appear in the list. The head of the line then folds back on itself and the participants moving back along the line inspect the ID of each participant standing still. The ID requirement is generally 2 forms of government-issued photo ID, but individual participants may enforce their own requirements as appropriate. A second tick is placed next to the list entry for which sufficient ID has been sighted.
  5. Once all participants have presented their ID, key lists are to be stored away in a safe place by each participant to prevent tampering with the annotated list.

After The Event

  1. Participants retrieve the public keys of all keysigning participants either by fetching individual keys from public keyservers or by importing an event keyring if one has been created by the event coordinator.
  2. Participants work through their annotated key list, checking the fingerprint of each key against the printed list and signing keys that match and are ticked for valid ID and the owner stating the fingerprint is correct.
  3. Participants either upload each public key they sign to a public keyserver, or email it directly to the key owner. Some key owners prefer not to have keys sent to public keyservers so in general it is courteous to email the key directly to the owner.
  4. Signatures sent to each participant by other participants are imported into their local keyring.