APRICOT 2000, Seoul, February 27 - March 3 2000

                            PGP Keysigning Party

As at most IETF meeting and other regular networking events with sufficient
participants, we will be holding a PGP keysigning party during this year's
APRICOT/APNG/APNIC Meeting in Seoul.

Quick Facts:

Key Submission:

                           All keys must be received in the submission
      Deadline:            email box by Wednesday, 1 March 2000, 18:00
                           (Seoul Time !)
      Submission email
      address:             pgp@koerber.org
      Subject:             APRICOT PGP KEY
                           Please send your key as normal ASCII text. The
      Format:              keys should NOT be sent as attachments or in
                           any proprietary format (like eg MS Word etc).
      PGP Formats SupportedPGP 2.6 (RSA) and PGP5 (RSA and D/H)

                             Note: Keys sent to any
                          other address or sent with
                            a different subject may
                             not be included in the
                           official Apricot 2000 PGP

Event details:

 Date:  Wednesday, 1 March 2000
 Time:  18:30 - 20:00 (end depends on participation)
 Venue: Camellia Room
        BOF (Birds of a Feather ...)

 Status:(ie *all* are welcome, as long as your key has been received on
        time. No APRICOT etc registration
        required !)

                         Please check the APRICOT
                         Notice board for any
                         changes in
                         Room and Time !

Instructions for Participants:

1. Who should attend

     1. All people who have a PGP key
     The PGP Keysigning Party will enable you to obtain additional
     signatures (among others by noted net-personalities) for your PGP

     2. All people who have just started to use PGP
     If you just started using PGP, It is unlikely that your key has
     been signed by (m)any other PGP users so far. To ensure that your
     key is trusted by the majority of the PGP users all over the
     world, you will be interested to have well-known net-personalities
     (and other people) sign your key.

     3. Those who do not have a PGP key yet
     You will need to:

       1. read up on PGP itself

       2. create your own PGP key

     to attend the keysigning party

     4. Organizations
     Many organizations use PGP to sign official announcements etc.
     Usually these organizations publish their PGP key on the web. As
     additional security, you may want your key to be signed by other

2. Preparation

- extract your public key using one of the following commands (depending on
your PGP version):

      UNIX PGP 2.6*            $ pgp -kxa <your PGP userid>

      UNIX PGP 5.*             $ pgpk -xa <your PGP userid>

      Win95 or other GUI       Use the export function to export your key
      implementation           to a text file

               For more details on the PGP commands refer to
               the PGP manual

- send in your PGP public key.

     (the PUBLIC KEY!!! Never give out your PRIVATE key to anyone!!) to
     the submission email address listed above. Please do NOT send the
     key as an attachment or in any other format but ASCII ARMORED
     TEXT! You could cut and paste the ascii armored PGP key into the
     email body if necessary!

- write down (print out) your own public key's fingerprint and the Key ID.

     Under UNIX, you can obtain the key ID and fingerprint using these

           UNIX PGP 2.6*              $pgp -kvc <your PGP userid>

           UNIX PGP 5.*               $ pgpk -ll <your PGP userid>

           Win95 or other GUI
           implementation             Check the Key Properties (in PGPkeys)

     Here is an example of a PGP key ID and fingerprint extracted under
     UNIX (PGP 5.0i):

     Note: This also lists the signatures on this key, but we need only
     the first few lines (green colored):

     $ pgpk -ll mathias
     Type Bits KeyID Created Expires Algorithm Use
     sec+ 768 0x25E082BD 1995-11-15 ---------- RSA Sign & Encrypt
     f16 Fingerprint16 = 1A 8B FC D4 93 F1 9A FC BD 98 A3 1A 0E 73 01 65
     uid Mathias Koerber <mathias@koerber.org>
     SIG 0x25E082BD 1996-08-22 Mathias Koerber <mathias@koerber.org>
     uid Mathias Koerber <mathias@staff.singnet.com.sg>
     sig 0x101E3A11 1998-02-23 Alfonso B. Carandang <abc@epic.net>
     SIG 0x25E082BD 1996-06-09 Mathias Koerber <mathias@koerber.org>
     uid mathias@singapura.singnet.com.sg
     SIG 0x25E082BD 1995-11-17 Mathias Koerber <mathias@koerber.org>
     uid Mathias Koerber <Mathias_Koerber@pobox.org.sg>
     SIG 0x25E082BD 1995-11-16 Mathias Koerber <mathias@koerber.org>
     uid Mathias Koerber <mathias@singnet.com.sg>
     sig 0x3022C951 1995-12-18 William Allen Simpson
     sig? 0x0DBF906D 1996-03-09 (Unknown signator, can't be checked)
     sig? 0x579532CD 1995-12-08 (Unknown signator, can't be checked)
     sig? 0x7B7AE5E1 1995-12-18 (Unknown signator, can't be checked)
     sig 0x76875905 1995-12-10 Angelos D. Keromytis <kermit@forthnet.gr>
     sig 0x466B4289 1995-12-07 Theodore Ts'o [SIGNATURE] <tytso@mit.edu>
     SIG 0x25E082BD 1995-11-15 Mathias Koerber <mathias@koerber.org>
     uid Mathias Koerber <mathias@singnet.com.sg>
     SIG 0x25E082BD 1995-11-15 Mathias Koerber <mathias@koerber.org>

3. At APRICOT, before the PGP keysigning Party

     - periodically check the noticeboard, where the list of keys
     submitted for the PGP keysigning party will be posted. Your key
     must be submitted by the deadline to be called during the
     keysigning party and included in the official APRICOT PGP keyring.
     If you submitted your key, and it does not appear on the list,
     please submit it again before the deadline!

4. At the PGP Keysigning Party itself

     - Bring along proper PHOTO identification

          For other participants to sign your PGP key (which is
          the whole aim of this event), they must be able to
          verify that the key belongs to you and that you really
          are who you claim to be.

     - if you submitted a PGP key for your organization, please bring
     along identification which proves that you are indeed representing
     that organization

             * letter by the president/management etc on their

             * namecard

             * company pass etc

     - obtain the list of submitted keys (this will be provided as a
     printout at the beginning of the party).

     - check that YOUR OWN public key is listed on the printout, and
     check its PGP KEY FINGERPRINT. Check it carefully. The fingerprint
     must match in *every* character


     - During the party, we will one by one read out aloud each PGP key
     submitted including the KeyID, the attached userIDs (names) and
     the Key Fingerprint. During this the owner of the key will stand
     up to be recognized by the crowd.

     (We may need each key-owner to read their own Key fingerprint etc,
     unless we manage to rustle up a suitable Voice program to
     automatically read the keys)

     - During this, each participant should

       1. check that the userid, name, keyid and fingerprint match what
          is printed on your printout

       2. ensure that the person standing up acknowledges the key as
          his own

       3. note which keys checked out ok and which ones haven't

     - After all keys have been read, you are encouraged to

       1. verify the owners' identities by checking their supporting
          documents (Photo ID)

       2. especially carefully verify the credentials for those who
          want an organization's key signed.

5. After the PGP Keysigning Party

     - obtain the official APRICOT 2000 keyring from

          This will be available sometime after the keysigning
          party. A more detailed announement will be posted on the
          APRICOT Notice Board. There will be 2 keyfiles, one with
          only PGP2.6 keys, the other containg all (PGP2.6 and
          PGP5) keys

     - decide whose keys you would want to sign (using your notes made
     during the keysigning party)

          You should only sign keys if you have *very carefully*
          verified the key's integrity and the owner's supporting
          documents (passport etc). If there is any doubt as to a
          person's identity or ownership of a key, do NOT sign
          that person's key !!

     - sign these people's keys with your own PGP PRIVATE KEY, using
     your PGP software

     - export/save the signed keys into ASCII files (see the PGP

     - either send the signed public keys to the keys owner
     (recommended) or to one of the public PGP keyservers.

          It is recommended that you send the key to the owner, so
          that they can decide themselves which signatures to send
          to the keyservers.

     - If you had presented your own key, you may want to check the
     public pgp keyservers periodically to see whether other
     participants have sent in new signatures for your own key. If so,
     you may want to obtain you own public key from the server and add
     it (actually only the additional signatures) to your own keyring.
     If another participant has sent you your key with a new signature,
     you will want to add the new signature to your own keyring, and
     then send the key to the public PGP keyservers.



What is PGP?

     PGP (Pretty Good Privacy) is a standard (and a program
     implementing that standard) providing strong authentication and
     encryption for email (and other networking applications such as
     internet phone) using a public key system.

Why is PGP important?

     From the PGP FAQ (http://www.at.pgp.net/pgpnet/pgp-faq/):

     You should encrypt your e-mail for the same reason that you don't
     write all of your correspondence on the back of a post card.
     E-mail is actually far less secure than the postal system. With
     the post office, you at least put your letter inside an envelope
     to hide it from casual snooping. Take a look at the header area of
     any e-mail message that you receive and you will see that it has
     passed through a number of nodes on its way to you. Every one of
     these nodes presents the opportunity for snooping. Encryption in
     no way should imply illegal activity. It is simply intended to
     keep personal thoughts personal.

     Xenon <an48138@anon.penet.fi> puts it like this:

     Crime? If you are not a politician, research scientist, investor,
     CEO, lawyer, celebrity, libertarian in a repressive society,
     investor, or person having too much fun, and you do not send
     e-mail about your private sex life,
     financial/political/legal/scientific plans, or gossip then maybe
     you don't need PGP, but at least realize that privacy has nothing
     to do with crime and is in fact what keeps the world from falling
     apart. Besides, PGP is FUN. You never had a secret decoder ring?


What is keysigning, and why is it important?

     Again, see the FAQ:

What is a PGP Keysigning party?

     A PGP keysigning party is not a party in the sense of celebration.
     It is unlikely that alcohol will flow or hors d'oevres be passed
     out. As PGP uses a public key system, it usually is easy to obtain
     some person's public PGP key (which is required to securely
     converse with that person or to verify that person's authorship or
     identity). The usual method for this is to either ask the person
     directly for their PGP key. Another method is to request it from a
     public PGP keyserver, which is like a worldwide replicated
     directory of PGP public keys.

More info?

     You can find more information on PGP at these webpages:

     PGP Inc.: http://www.pgp.com

     PGP.net: http://www.pgp.net

     International PGP Homepage: http://www.ifi.uio.no/pgp/

     There is a PGP discussion newsgroup named comp.security.pgp and
     its FAQ:


     There is a book on PGP published by O'Reilly & Associates:

          Simson Garfinkel: PGP: Pretty Good Privacy

          1st Edition December 1994

          1-56592-098-8, Order Number: 0988

          430 pages, $29.95

     see: http://www.oreilly.com/catalog/pgp/noframes.html