APRICOT
2000, Seoul, February 27 - March 3 2000
PGP Keysigning Party
As at most IETF meeting and other regular networking events with sufficient
participants, we will be holding a PGP keysigning party during this year's
APRICOT/APNG/APNIC Meeting in Seoul.
Quick Facts:
Key Submission:
All keys must be received in the submission
Deadline: email box by Wednesday, 1 March 2000, 18:00
(Seoul Time !)
Submission email
address: pgp@koerber.org
Subject: APRICOT PGP KEY
Please send your key as normal ASCII text. The
Format: keys should NOT be sent as attachments or in
any proprietary format (like eg MS Word etc).
PGP Formats
SupportedPGP 2.6 (RSA) and PGP5 (RSA and D/H)
Note: Keys sent to any
other address or sent with
a different subject may
not be included in the
official Apricot 2000 PGP
keyring!
Event details:
Date: Wednesday, 1 March 2000
Time: 18:30 - 20:00 (end depends on participation)
Venue: Camellia Room
BOF
(Birds of a Feather ...)
Status:(ie *all* are welcome, as long as your
key has been received on
time. No
APRICOT etc registration
required
!)
Please check the APRICOT
Notice board for any
changes in
Room and Time !
Instructions for Participants:
1. Who should attend
1. All people who have a
PGP key
The PGP Keysigning Party
will enable you to obtain additional
signatures (among others
by noted net-personalities) for your PGP
key.
2. All people who have
just started to use PGP
If you just started using
PGP, It is unlikely that your key has
been signed by (m)any
other PGP users so far. To ensure that your
key is trusted by the
majority of the PGP users all over the
world, you will be interested
to have well-known net-personalities
(and other people) sign
your key.
3. Those who do not have a
PGP key yet
You will need to:
1. read up on
PGP itself
2. create your
own PGP key
to attend the keysigning
party
4. Organizations
Many organizations use PGP
to sign official announcements etc.
Usually these
organizations publish their PGP key on the web. As
additional security, you
may want your key to be signed by other
trusted
2. Preparation
- extract your public key using one of the following commands (depending on
your PGP version):
UNIX PGP 2.6* $ pgp -kxa <your PGP userid>
UNIX PGP 5.* $ pgpk -xa <your PGP userid>
Win95 or other GUI Use the export function to export your key
implementation to a text file
For more details on the PGP commands refer to
the PGP manual
- send in your PGP public key.
(the PUBLIC KEY!!! Never
give out your PRIVATE key to anyone!!) to
the submission email
address listed above. Please do NOT send the
key as an attachment or in
any other format but ASCII ARMORED
TEXT! You could cut and
paste the ascii armored PGP key into the
email body if necessary!
- write down (print out) your own public key's fingerprint and the Key ID.
Under UNIX, you can obtain
the key ID and fingerprint using these
commands:
UNIX PGP 2.6* $pgp -kvc <your PGP userid>
UNIX PGP 5.* $ pgpk -ll <your PGP userid>
Win95 or other GUI
implementation Check the Key Properties (in PGPkeys)
Here is an example of a
PGP key ID and fingerprint extracted under
UNIX (PGP 5.0i):
Note: This also lists the
signatures on this key, but we need only
the first few lines (green
colored):
$ pgpk -ll mathias
Type Bits KeyID Created
Expires Algorithm Use
sec+ 768 0x25E082BD
1995-11-15 ---------- RSA Sign & Encrypt
f16 Fingerprint16 = 1A 8B
FC D4 93 F1 9A FC BD 98 A3 1A 0E 73 01 65
uid Mathias Koerber <mathias@koerber.org>
SIG 0x25E082BD 1996-08-22
Mathias Koerber <mathias@koerber.org>
uid Mathias Koerber <mathias@staff.singnet.com.sg>
sig 0x101E3A11 1998-02-23
Alfonso B. Carandang <abc@epic.net>
SIG 0x25E082BD 1996-06-09
Mathias Koerber <mathias@koerber.org>
uid mathias@singapura.singnet.com.sg
SIG 0x25E082BD 1995-11-17
Mathias Koerber <mathias@koerber.org>
uid Mathias Koerber <Mathias_Koerber@pobox.org.sg>
SIG 0x25E082BD 1995-11-16
Mathias Koerber <mathias@koerber.org>
uid Mathias Koerber <mathias@singnet.com.sg>
sig 0x3022C951 1995-12-18
William Allen Simpson
<Bill.Simpson@um.cc.umich.edu>
sig? 0x0DBF906D 1996-03-09
(Unknown signator, can't be checked)
sig? 0x579532CD 1995-12-08
(Unknown signator, can't be checked)
sig? 0x7B7AE5E1 1995-12-18
(Unknown signator, can't be checked)
sig 0x76875905 1995-12-10
Angelos D. Keromytis <kermit@forthnet.gr>
sig 0x466B4289 1995-12-07
Theodore Ts'o [SIGNATURE] <tytso@mit.edu>
SIG 0x25E082BD 1995-11-15
Mathias Koerber <mathias@koerber.org>
uid Mathias Koerber <mathias@singnet.com.sg>
<Mathias_Koerber@pobox.org.sg>
SIG 0x25E082BD 1995-11-15
Mathias Koerber <mathias@koerber.org>
3. At APRICOT, before the PGP keysigning Party
- periodically check the
noticeboard, where the list of keys
submitted for the PGP
keysigning party will be posted. Your key
must be submitted by the
deadline to be called during the
keysigning party and
included in the official APRICOT PGP keyring.
If you submitted your key,
and it does not appear on the list,
please submit it again
before the deadline!
4. At the PGP Keysigning Party itself
- Bring along proper PHOTO
identification
For other participants to sign your PGP key (which is
the whole aim of this event), they must be able to
verify that the key belongs to you and that you really
are who you claim to be.
- if you submitted a PGP
key for your organization, please bring
along identification which
proves that you are indeed representing
that organization
* letter by the president/management etc on their
stationery
* namecard
* company pass etc
- obtain the list of
submitted keys (this will be provided as a
printout at the beginning
of the party).
- check that YOUR OWN
public key is listed on the printout, and
check its PGP KEY
FINGERPRINT. Check it carefully. The fingerprint
must match in *every*
character
Procedure
- During the party, we
will one by one read out aloud each PGP key
submitted including the
KeyID, the attached userIDs (names) and
the Key Fingerprint.
During this the owner of the key will stand
up to be recognized by the
crowd.
(We may need each
key-owner to read their own Key fingerprint etc,
unless we manage to rustle
up a suitable Voice program to
automatically read the
keys)
- During this, each
participant should
1. check that
the userid, name, keyid and fingerprint match what
is printed on your printout
2. ensure that
the person standing up acknowledges the key as
his own
3. note which
keys checked out ok and which ones haven't
- After all keys have been
read, you are encouraged to
1. verify the
owners' identities by checking their supporting
documents (Photo ID)
2. especially
carefully verify the credentials for those who
want an organization's key signed.
5. After the PGP Keysigning Party
- obtain the official
APRICOT 2000 keyring from
http://www.koerber.org/apricot2000/
This will be available sometime after the keysigning
party. A more detailed announement will be posted on the
APRICOT Notice Board. There will be 2 keyfiles, one with
only PGP2.6 keys, the other containg all (PGP2.6 and
PGP5) keys
- decide whose keys you
would want to sign (using your notes made
during the keysigning
party)
You should only sign keys if you have *very carefully*
verified the key's integrity and the owner's supporting
documents (passport etc). If there is any doubt as to a
person's identity or ownership of a key, do NOT sign
that person's key !!
- sign these people's keys
with your own PGP PRIVATE KEY, using
your PGP software
- export/save the signed
keys into ASCII files (see the PGP
manual)
- either send the signed
public keys to the keys owner
(recommended) or to one of
the public PGP keyservers.
It is recommended that you send the key to the owner, so
that they can decide themselves which signatures to send
to the keyservers.
- If you had presented
your own key, you may want to check the
public pgp keyservers
periodically to see whether other
participants have sent in
new signatures for your own key. If so,
you may want to obtain you
own public key from the server and add
it (actually only the
additional signatures) to your own keyring.
If another participant has
sent you your key with a new signature,
you will want to add the
new signature to your own keyring, and
then send the key to the
public PGP keyservers.
------------------------------------------------------------------------
Background
What is PGP?
PGP (Pretty Good Privacy)
is a standard (and a program
implementing that
standard) providing strong authentication and
encryption for email (and
other networking applications such as
internet phone) using a
public key system.
Why is PGP important?
From the PGP FAQ (http://www.at.pgp.net/pgpnet/pgp-faq/):
You should encrypt your
e-mail for the same reason that you don't
write all of your
correspondence on the back of a post card.
E-mail is actually far
less secure than the postal system. With
the post office, you at
least put your letter inside an envelope
to hide it from casual
snooping. Take a look at the header area of
any e-mail message that
you receive and you will see that it has
passed through a number of
nodes on its way to you. Every one of
these nodes presents the
opportunity for snooping. Encryption in
no way should imply illegal
activity. It is simply intended to
keep personal thoughts
personal.
Xenon <an48138@anon.penet.fi> puts it like
this:
Crime? If you are not a
politician, research scientist, investor,
CEO, lawyer, celebrity,
libertarian in a repressive society,
investor, or person having
too much fun, and you do not send
e-mail about your private
sex life,
financial/political/legal/scientific plans, or gossip then maybe
you don't need PGP, but at
least realize that privacy has nothing
to do with crime and is in
fact what keeps the world from falling
apart. Besides, PGP is
FUN. You never had a secret decoder ring?
Boo!
-Xenon
(Copyright
1993,
Xenon)
What is keysigning, and why is it important?
Again, see the FAQ:
http://www.at.pgp.net/pgpnet/pgp-faq/faq-06.html
What is a PGP Keysigning party?
A PGP keysigning party is
not a party in the sense of celebration.
It is unlikely that
alcohol will flow or hors d'oevres be passed
out. As PGP uses a public
key system, it usually is easy to obtain
some person's public PGP
key (which is required to securely
converse with that person
or to verify that person's authorship or
identity). The usual
method for this is to either ask the person
directly for their PGP
key. Another method is to request it from a
public PGP keyserver,
which is like a worldwide replicated
directory of PGP public
keys.
More info?
You can find more
information on PGP at these webpages:
PGP Inc.: http://www.pgp.com
PGP.net: http://www.pgp.net
International PGP
Homepage: http://www.ifi.uio.no/pgp/
There is a PGP discussion
newsgroup named comp.security.pgp and
its FAQ:
http://www.at.pgp.net/pgpnet/pgp-faq/
There is a book on PGP
published by O'Reilly & Associates:
Simson Garfinkel: PGP: Pretty Good Privacy
1st Edition December 1994
1-56592-098-8, Order Number: 0988
430 pages, $29.95
see: http://www.oreilly.com/catalog/pgp/noframes.html