FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-07-2008, 10:14 PM
Matt Domsch
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

On Wed, Jan 02, 2008 at 09:13:32PM -0600, Matt Domsch wrote:
> On Wed, Jan 02, 2008 at 09:44:23PM -0500, Todd Zullinger wrote:
> > If you haven't seen it before, I'd recommend giving a look at the
> > "Efficient Group Key Signing Method" by Len Sassaman and Phil
> > Zimmermann, documented at http://sion.quickie.net/keysigning.txt
> >
> > It cuts a lot of the tediousness out of a key signing involving more
> > than just a few people.
>
> yep. That's basically my plan. So far only ~14 people have sent me
> keys, so even bicycle chain won't take but a few minutes. I'll email
> everyone who has sent keys, and fedora-devel, the instructions early
> next week for getting the plaintext list of keys, the keyring I've
> compiled from the sent fingerprints, the SHAx sums and the rest.


I've compiled the list of keys for the FUDCon keysigning. These 20
are whom I have. If you're not on this list, and still want to
participate, you may, details to follow.

pub 1024D/92F0FC09 2001-04-16 Matt Domsch <mdomsch@alum.mit.edu>
pub 1024D/BD113717 1997-09-19 Paul W. Frields <stickster@gmail.com>
pub 1024D/116521D9 2000-10-11 David Woodhouse (Insecure work key) <dwmw2@redhat.com>
pub 1024D/93054260 2001-03-22 Tom Callaway (spot) <tcallawa@redhat.com>
pub 1024D/1728D29B 2007-12-15 Lee Lorentz (WB0TRA) <lee@wb0tra.no-ip.org>
pub 1024D/CCAF484E 2007-04-17 Ricky Zhou <ricky.zhou@gmail.com>
pub 1024D/99B1F444 2006-04-02 G. Wolfe Woodbury <ggw@wolves.durham.nc.us>
pub 1024D/7BB612C9 2001-06-02 Kevin Sonney (The Alchemist) <kevin@sonney.com>
pub 1024D/8929CFFC 2006-12-05 Chris Tyler <chris@tylers.info>
pub 1024D/ED00D312 2000-06-21 Douglas E. Warner <silfreed@silfreed.net>
pub 1536R/243A1329 1996-12-05 David Woodhouse <david@woodhou.se>
pub 1024D/2E3F0935 2007-05-29 Yaakov Nemoy <loupgaroublond@gmail.com>
pub 1024D/87EF16E8 2007-02-27 Tyler Owen <tyler.l.owen@gmail.com>
pub 1024D/7A47522D 2006-12-22 John Poelstra <poelcat@gmail.com>
pub 1024D/78688BF5 2002-10-03 Nalin Dahyabhai <nalin@dahyabhai.net>
pub 1024D/3B6A5B89 1999-09-16 Jack Neely <jjneely@ncsu.edu>
pub 2048R/BEAF0CE3 2006-07-04 Todd M. Zullinger <tmz@pobox.com>
pub 1024D/D74908ED 2007-12-31 Eric Harlan Christensen <eric@christensenplace.us>
pub 1024D/B05A59F7 2004-03-01 Dennis Gilmore <dennis@auroralinux.org>
pub 1024D/0D86AF59 2006-01-21 Jonathan Steffan (daMaestro) <jonathansteffan@gmail.com>


See the URL above for the process. Before the keysigning, you _must_
download a copy of
http://domsch.com/linux/fedora/fudcon2008/fudcon-keysigning.txt
and verify that your key is correct on there. You'll be asked at the
keysigning to confirm that your key is correct in that file.

Second, you must run both sha1sum and md5sum on the
fudcon-keysigning.txt file, and validate that it in fact matches:

http://domsch.com/linux/fedora/fudcon2008/fudcon-keysigning.txt.md5sum
0c799b9b70cf87e0039631e0cfd1586a fudcon-keysigning.txt

http://domsch.com/linux/fedora/fudcon2008/fudcon-keysigning.txt.sha1sum
d3fa0cda1d77cde8608c2506e88cb3cd60764c43 fudcon-keysigning.txt

At the keysigning, I'll read these values. Everyone confirms they
match, therefore we know your key as listed in the keyring is what
everyone expects it to be. Then we each, in order, show our IDs for
everyone to validate, and then each person can decide if they want to
sign that person's key.

After the keysigning, you can use a tool like caff from the pgp-tools
package to sign each person's key and mail it to them.

I'll see you all next Saturday!

Thanks,
Matt

--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-07-2008, 11:26 PM
Matt Domsch
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

On Mon, Jan 07, 2008 at 05:14:15PM -0600, Matt Domsch wrote:
> On Wed, Jan 02, 2008 at 09:13:32PM -0600, Matt Domsch wrote:
> > On Wed, Jan 02, 2008 at 09:44:23PM -0500, Todd Zullinger wrote:
> > > If you haven't seen it before, I'd recommend giving a look at the
> > > "Efficient Group Key Signing Method" by Len Sassaman and Phil
> > > Zimmermann, documented at http://sion.quickie.net/keysigning.txt
> > >
> > > It cuts a lot of the tediousness out of a key signing involving more
> > > than just a few people.
> >
> > yep. That's basically my plan. So far only ~14 people have sent me
> > keys, so even bicycle chain won't take but a few minutes. I'll email
> > everyone who has sent keys, and fedora-devel, the instructions early
> > next week for getting the plaintext list of keys, the keyring I've
> > compiled from the sent fingerprints, the SHAx sums and the rest.
>
>
> I've compiled the list of keys for the FUDCon keysigning. These 20
> are whom I have. If you're not on this list, and still want to
> participate, you may, details to follow.


I meant to do the validations using the fingerprints, not just the
--list-keys output.

http://domsch.com/linux/fedora/fudcon2008/fudcon-keysigning-fingerprints.txt
http://domsch.com/linux/fedora/fudcon2008/fudcon-keysigning-fingerprints.txt.md5sum
http://domsch.com/linux/fedora/fudcon2008/fudcon-keysigning-fingerprints.txt.sha1sum
http://domsch.com/linux/fedora/fudcon2008/fudcon-keysigning-fingerprints.txt.sign
(signed by me)


Please download the .txt file, and run md5sum and sha1sum against it
and compare with the values posted there. They should match. Also be
sure your key fingerprint is correct in that file.


These, the keyring, etc. can be found at
http://domsch.com/linux/fedora/fudcon2008/. Please download and
validate them yourselves.

Thanks,
Matt

--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 01:41 AM
"Paul W. Frields"
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

On Mon, 2008-01-07 at 17:14 -0600, Matt Domsch wrote:
> At the keysigning, I'll read these values. Everyone confirms they
> match, therefore we know your key as listed in the keyring is what
> everyone expects it to be. Then we each, in order, show our IDs for
> everyone to validate, and then each person can decide if they want to
> sign that person's key.
>
> After the keysigning, you can use a tool like caff from the pgp-tools
> package to sign each person's key and mail it to them.

If I may be so bold, last time we did this, a very small proportion of
attendees actually sent around signed keys. Or did they just not want
to sign mine? :-) If you've got a laptop and install pgp-tools on it,
you can run through the signing routine at least once in the room so we
can clear up any confusion that might prevent propagating the "web of
trust."

--
Paul W. Frields, RHCE http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
Fedora Project: http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 01:49 AM
Jason L Tibbitts III
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

>>>>> "PWF" == Paul W Frields <stickster@gmail.com> writes:

PWF> If I may be so bold, last time we did this, a very small
PWF> proportion of attendees actually sent around signed keys.

Yeah, I found that I got back home, got busy putting out fires and
such (plus my wife decided that we should buy a new car on the way
home from the airport) and I ended up forgetting what I was supposed
to do to do all of the signing.

I haven't sent my key info in this time out of embarrassment.

- J<

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 02:30 AM
Todd Zullinger
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

Matt Domsch wrote:
> After the keysigning, you can use a tool like caff from the
> pgp-tools package to sign each person's key and mail it to them.

I'd like to put in a plug for not using caff (read: I'm a pedant .

There are three things you want to verify when you certify (sign) a
key:

1) The identity of the person asking me to certify their key.
2) The key's fingerprint, id, size, and type
3) The email address(es) associated with the key

1 can be accomplished via a drivers license or other form of ID.

2 is achieved by checking that the key info presented at the signing
matches what is available on the public keyservers

3 is the trickier one. When you sign a key, you are signing the
primary key + the user id(s). Most newer PGP keys consist of a
primary key and one or more encryption subkeys.

Using caff as I understand it, you would sign each uid on a key and
then encrypt it to the address on the uid. This encryption is
intended to verify that the key actually belongs to the recipient and
that they can receive email add the address on the key.

This is not entirely adequate for a few reasons. Firstly, it doesn't
really verify that the uid you are signing belongs to the person at
the address (see below). Secondly, it fails completely for anyone
that doesn't have an encryption subkey. (Some people have a master
key that they use for signing and for acquiring signatures on and
another key that they use for day to day use and receiving encrypted
mail. Not common perhaps, but a perfectly valid usage of gpg, and no
reason to deny someone a signature on their key.)

What you really want to do is ask the key owner to sign some text or
data of your choosing and send it to you. That ensures that the thing
you are signing (the primary key + uid) is under the control of the
key owner and that they can receive mail at the address in the uid.

I prodded the folks on gnupg-users about this a year or so ago. You
can read the full thread starting at[1] and David Shaw's assertion
that "sending an signed key via encrypted mail does not ensure
anything about the key owner." at[2].

Ingo Kloecker was kind enough to post a short perl script in that
thread that he used to send out challenge mail after a keysigning. I
modified it a bit and used it after the last keysigning at my local
LUG (all the bugs are surely mine).

In the off chance that anyone is interested, I've posted that script
at[3]. It requires the perl modules Text::Autoformat and
Text::Template (among other standard modules).

[1] http://marc.info/?l=gnupg-users&m=115221259531231&w=2
[2] http://marc.info/?l=gnupg-users&m=115230714808866&w=2
[3] http://tmz.fedorapeople.org/scripts/gpg-send-challenges

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Eat drink and be merry, for tomorrow they may make it illegal.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 02:34 AM
Todd Zullinger
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

Jason L Tibbitts III wrote:
> Yeah, I found that I got back home, got busy putting out fires and
> such (plus my wife decided that we should buy a new car on the way
> home from the airport) and I ended up forgetting what I was supposed
> to do to do all of the signing.
>
> I haven't sent my key info in this time out of embarrassment.

I'd hazard a guess that most everyone can understand getting busy and
sidetracked and that anyone who attended the last keysigning won't
hold it against you.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Disobedience: The silver lining to the cloud of servitude.
-- Ambrose Bierce

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 02:38 AM
Dennis Gilmore
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

On Monday 07 January 2008, Jason L Tibbitts III wrote:
> >>>>> "PWF" == Paul W Frields <stickster@gmail.com> writes:
>
> PWF> If I may be so bold, last time we did this, a very small
> PWF> proportion of attendees actually sent around signed keys.
>
> Yeah, I found that I got back home, got busy putting out fires and
> such (plus my wife decided that we should buy a new car on the way
> home from the airport) and I ended up forgetting what I was supposed
> to do to do all of the signing.
>
> I haven't sent my key info in this time out of embarrassment.
>
> - J<

I missed the gpg session last time sine i had to do the EPEL presentation.
however it would be good to get some of it done while there. perhaps we
could have the session at a time by itself. at the beginning or end of the
day.

Dennis
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 03:03 AM
Todd Zullinger
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

Paul W. Frields wrote:
> If I may be so bold, last time we did this, a very small proportion
> of attendees actually sent around signed keys. Or did they just not
> want to sign mine? :-)

I've had that experience myself. I made a note to shower before the
next keysigning.

> If you've got a laptop and install pgp-tools on it, you can run
> through the signing routine at least once in the room so we can
> clear up any confusion that might prevent propagating the "web of
> trust."

Speaking of the web, here's a graph of the keys submitted so far and
how they are related. The graph was made using the sig2dot script[1]
and neato (from graphviz).

Keys are colored:

* Red proportional to sigs received (in arrows)
* Green proportional to the ratio of sigs given to sigs received
* Blue proportional to sigs given (out arrows)

[1] http://ftp.de.debian.org/debian/pool/main/s/sig2dot/sig2dot_0.37.tar.gz

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
It's not denial. I'm just very selective about what I accept as
reality.
-- Calvin ("Calvin and Hobbes")

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 03:06 AM
Todd Zullinger
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

I wrote:
> Speaking of the web, here's a graph of the keys submitted so far and
> how they are related.

I suppose the actual graph would be handy to have too.

http://tmz.fedorapeople.org/fudcon9-keysigning/fudcon-graph.png

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
You will rue this day! Well, go on! Start ruing!
-- Stewie Griffin

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 04:38 AM
Jason L Tibbitts III
 
Default GPG Keysigning at FUDCon - INSTRUCTIONS

>>>>> "MD" == Matt Domsch <Matt_Domsch@dell.com> writes:

MD> If you're not on this list, and still want to participate, you
MD> may, details to follow.

Unfortunately I don't see those directions following. Did I miss the
boat? I guess I can still print a bunch of copies of my key if so.

- J<

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 07:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org