From: |
Stephen Lau <stephen.lau@UCSF.EDU> |
|---|---|
Reply-To: |
stephen.lau@ucsf.edu |
To: |
UCITPS-L@LISTSERV.UCOP.EDU |
Subject: |
PGP/GPG Key Signing Party at UCITPS |
Date: |
Tue, 24 Jul 2007 16:10:12 -0700 |
As part of the UCSIRC charter, every member of UCSIRC is required
to use PGP for incident information sharing. In order for this to
work, a "web of trust" needs to be developed for the keys.
To start this "web of trust", you're all invited to a key signing
party to be held at next week's UCITPS meeting. Unfortunately,
refreshments will not be served and entertainment will be
limited to whatever sheer pleasure you derive from
having your public key vetted by your colleagues.
For this party to work, YOU need to do the following BEFORE
coming to the party:
1) Generate a PGP/GPG key
2) Upload your PUBLIC (not your private) key to a public
key server.
3) Print multiple (at least 20) copies of your public
key fingerprint on small slips of paper with your name
on them.
4) Bring the slips of paper with you, along with a valid UC
ID to the key signing party.
Ugh, you may be saying, what does all this mean? Well, here's some
additional information...
For a general overview, look here:
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
For PGP: http://www.pgp.com/index.html
PGP is the commercial version and comes with a nice GUI.
For GPG: http://www.gnupg.org
GPG is a GNU version of PGP and interoperates nicely.
Uploading Your Key
==================
There are numerous public key servers. Both PGP and GPG allow you
to upload your public key. You can also manually export your public
key and upload them to a public key server.
Here is a decent public key server to use:
http://pgp.mit.edu/
You can use the pgp.mit.edu to look up my public key as an example.
Simply type in "Stephen.lau@ucsf.edu" in the search field. Select
verbose index and you will see that my key has been signed by
multiple people.
Printing Your Fingerprint
=========================
Key fingerprints are not the public keys. It's a block of 10
4 digit hexadecimal numbers. For example, my PGP fingerprint
is: "44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B" and can
always be found in my email signatures. They are used to
verify that the public key you have is the one you want.
Refer to your PGP client to determine how to extract the fingerprint
from your PGP key. Print the fingerprint along with your name
onto small strips of paper. These strips will be distributed to
other attendees so they can go and download your public key and verify
them by the fingerprints printed on the slips of paper.
Colleagues Who Can Not Attend
=============================
By the general guidelines for PGP web of trust building, one must
have face to face presence to vet each other's keys. If you
have colleagues who are not able to make it, you will not be allowed
to share their public keys in this venue. Since *you* know your
colleague, *you* can sign their keys and it will be up to individuals
if they wish to have transitive trust.
Feel free to ask any questions.
Steve
--
+---------------------------------------------------------------------
Stephen Lau - Stephen.Lau@ucsf.edu
Information Security Policy and Program Manager
University of California, San Francisco
1855 Folsom, Suite 602, Box 0707, San Francisco, CA 94143
+1(415) 476-3106 (Work) +1(415) 476-1717 (Fax)
PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B
+---------------------------------------------------------------------