Keywords: Key public-private OpenPGP signing
Abstract: A lot of us have key pair(s) to use when encrypting e-mail to others. This makes the conversation private, ie out of reach of men-in-the-middle. The THF camp is a perfect opportunity for a group to have a real and live exchange of keys. Being face to face is perhaps one of the strongest ways to validate a key. And having it at an event, ie where a group of people can perform the exchange together, speeds up the building of a particular web of trust.
Metodology: Those wishing to participate are asked to email their public key to a particular e-mail address by a particular time, eg 23:59 on Wednesday 6 August. The signing get-together will take place the next day, eg 14:00 on Thursday 7 August. The lead organiser, ie me for this party has put all the public keys into a file and will offer it for download from a file serving device. Once downloaded, turn off all network connections. Compute the SHA-256 sum: gpg –print-md sha256 thfc-keysigning.txt. Make sure it starts with the letter ‘XYZ’. Wait for everybody to be ready. We confirm the document SHA-256 sum together. Search for your own fingerprint and your own user id and verify that they are indeed what they should be. We will commence with confirm the user id and fingerprint information, starting at the top of the file. Each participant physically present will in turn stand up and state: Their name That they have verified their fingerprint That they have verified their user id Then other people in the room who know this person confirm the person is who s/he says s/he is. If you trust what you hear, put an ‘x’ in the corresponding checkboxes in your file. At the end, sign the resulting document with your own key for later verification: gpg –clearsign thfc-keysigning.txt. When at home again take your time to sign the keys after verifying that this document has not been tampered with, ideally using caff.
Language english