UCTrust Workgroup
Child pages
  • PGP Key Signing Party at UCITPS

Versions Compared

Old Version 1

changes.mady.by.user WALKER, DAVID

Saved on

compared with

New Version 2

changes.mady.by.user WALKER, DAVID

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As part of the UCSIRC charter, every member of UCSIRC is required
}}{{{}to use PGP for incident information sharing. In order for this to }}{{{}
work, a "web of trust" needs to be developed for the keys.

To start this "web of trust", you're all invited to a key signing }}{{{}
party to be held at next week's UCITPS meeting. Unfortunately, }}{{{}
refreshments will not be served and entertainment will be
limited to whatever sheer pleasure you derive from
}}{{{}having your public key vetted by your colleagues.

For this party to work, YOU need to do the following BEFORE }}{{{}
coming to the party:

        1) Generate a PGP/GPG key
        2) Upload your PUBLIC (not your private) key to a public
           key server.
        3) Print multiple (at least 20) copies of your public
           key fingerprint on small slips of paper with your name
           on them.
        4) Bring the slips of paper with you, along with a valid UC
           ID to the key signing party.

Ugh, you may be saying, what does all this mean? Well, here's some }}{{{}
additional information...

For a general overview, look here:
}}{{http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.htmlImage Added

For PGP: http://www.pgp.com/index.htmlImage Added
PGP is the commercial version and comes with a nice GUI.

For GPG: http://www.gnupg.orgImage Added
GPG is a GNU version of PGP and interoperates nicely.

Uploading Your Key
==================
There are numerous public key servers. Both PGP and GPG allow you
}}{{{}to upload your public key. You can also manually export your public }}{{{}
key and upload them to a public key server.

Here is a decent public key server to use:
        http://pgp.mit.edu/Image Added

You can use the pgp.mit.edu to look up my public key as an example. }}{{{}
Simply type in "Stephen.lau@ucsf.edu" in the search field. Select }}{{{}
verbose index and you will see that my key has been signed by }}{{{}
multiple people.

Printing Your Fingerprint
=========================
Key fingerprints are not the public keys. It's a block of 10 }}{{{}
4 digit hexadecimal numbers. For example, my PGP fingerprint
}}{{{}is: "44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B" and can }}{{{}
always be found in my email signatures. They are used to
}}{{{}verify that the public key you have is the one you want.

Refer to your PGP client to determine how to extract the fingerprint
}}{{{}from your PGP key. Print the fingerprint along with your name }}{{{}
onto small strips of paper. These strips will be distributed to
}}{{{}other attendees so they can go and download your public key and verify }}{{{}
them by the fingerprints printed on the slips of paper.

Colleagues Who Can Not Attend
=============================
By the general guidelines for PGP web of trust building, one must
}}{{{}have face to face presence to vet each other's keys. If you }}{{{}
have colleagues who are not able to make it, you will not be allowed
}}{{{}to share their public keys in this venue. Since *you* know your }}{{{}
colleague, *you* can sign their keys and it will be up to individuals }}{{{}
if they wish to have transitive trust.

...