[Ubuntu-US-CA] Keysigning at OSCON: HOWTO, suggestions for locations?

Robert Wall robertlikesturtles at gmail.com
Fri Jul 17 23:56:20 UTC 2009

Hi everyone!

Before and during OSCON this year, people from Ubuntu California are
going to be signing each others' OpenPGP/gnupg keys. This mail aims to
explain what's going on to the people who don't know what that means,
give information about how you can generate an OpenPGP key (if you have
a DSA-1024bit one right now, you should read this section too), what you
need to do to get your key signed, and where we'll be doing keysigning
before and during OSCON.

=== What is OpenPGP, gnupg, and keysigning? ===

OpenPGP is a standard for electronically signing and encrypting data.
The most popular implementation of it, especially on Linux, is GNUPG
(GNU Privacy Guard). If you don't know anything about OpenPGP, gnupg, or
the concepts of signing and encrypting, there's a great article about
them written for the PGP (another similar program) user manual at
http://www.pgpi.org/doc/pgpintro/ which I'd highly recommend. The short
version is that generating an OpenPGP key and getting it signed by other
people creates a web of trust that lets you be sure that emails from
other people in the web are really from them, and that lets you have
private, encrypted conversations with them.

Ubuntu uses gnupg to sign packages in its repositories, and many people
in the Ubuntu community use it to sign emails that they send out.
Therefore, building the Ubuntu web of trust is generally a productive
and good idea :)

=== How do I generate a secure key with gnupg? ===

So, now that I've established /why/ OpenPGP keys are relevant to Ubuntu,
I'll cover how to make one of your own. This would usually be a very
short process, but there's currently some concern that gnupg's default
settings are insecure, so it's a little more complicated right now.
gnupg is installed by default with Ubuntu, so you probably already have
it, but the commands are a little arcane (the settings are getting
changed at some point, at which time things will be easy again...).

If you already have a DSA-1024 key, you probably want to read
http://www.debian-administration.org/users/dkg/weblog/48 . It explains
the security problems with those keys rather well, and provides a plan
for transitioning to a new key.

If you're making a key for the first time, or ** if you currently have a
DSA-1024 key **, you should generate a new keypair using the
instructions at
http://andys.org.uk/b/2009/05/09/gnupg-rsa-key-pair-mini-howto-with-stronger-digests/ . If you're going to be meeting up with us at OSCON and want to be involved in keysigning, you should make a key before you get there.

Some notes about the andys.org.uk article:

* Key length: you probably don't need 4096 bits. More bits is
theoretically more secure, but 4096 is probably overkill. I used 2048,
which appears to be sane, and is the default.

* Key expiration: this is a matter of personal preference. If you think
you might accidentally lose your key files, you should set an expiration
date (a couple of years in the future is fine). If you're like me and
back up everything obsessively, expiration is probably not necessary.

* Real name: consider making this your real name, rather than a
pseudonym, if you use both online. One part of keysigning is checking
that someone is actually who they claim to be, so it's easier if your
key has the same name as your photo ID.

* Revocation: generate a revocation certificate, but don't actually
revoke your key (or double-click on the certificate in GNOME, since that
does the same thing). The article's revocation instructions are for if
you lose control of your key *at a future date*.

Apart from that, it's a pretty clear article. If you have problems
following it, let me know (if you don't want to email the list, sending
me private email for help is fine with me).

=== Keysigning HOWTO ===

So, now that I've explained what OpenPGP is and how to use it, here
comes the social side of it: keysigning! To form the web of trust, we
need to get together, exchange key fingerprints, and check IDs.

If you want to participate in keysigning, generate a key using the
instructions above, then write down the key fingerprint, which you can
get with:

gnupg --fingerprint [keyid]

where keyid is something like "0x0CBC1491" or "Robert Wall". You then
want to copy down that fingerprint and bring it with you. You don't need
to bring a copy of your key file, or even a computer at all, with you to
OSCON, just that fingerprint. To make things more orderly, email the
fingerprint to me, and I'll generate a list of keys for everyone so we
can all just check boxes instead of writing down lots of stuff. You
still need to write down *your* fingerprint and bring it with you,
though, to make sure I got the right one.

So yes. To get involved with keysigning at OSCON:
* Generate an OpenPGP key using the instructions in the previous section
* Write down your key fingerprint and bring it with you
* (optional but recommended) Email your fingerprint to me so I can make
key lists
* BRING PHOTO ID WITH YOU so we can check that you're actually who you
say you are. A California Driver's License or US passport is generally
acceptable (since most people in Ubuntu California know what they look
like), but anything with your name and photo, issued by a government,
and not easily faked, is probably okay.

As far as the keysigning process itself goes, we can discuss it in
person. It's also easy, though :)

=== Keysinging before/at OSCON ===

So, now that we know what we need to get so we can keysign, we need to
decide where we're going to do it. Several of us are going to be in San
Jose on the evening of Sunday 19th for the Community Leadership Summit,
so we'll definitely be doing it then. We'll also be discussing logistics
for OSCON then. ** If you know of good eating places in San Jose near
the McEnery Convention Center (at the corner of W San Carlos St. and S
Market Street), we'd appreciate suggestions. ** We're aiming to meet up
at about 6pm. Since some of us are under 21, bars don't count.

If you're going to OSCON itself, we can also keysign any time at the
booth there. The schedule for when people will be there is at
http://wiki.ubuntu.com/CaliforniaTeam/Projects/OSCON2009 (if you're
going to be at the booth and aren't on that schedule, get on that

You probably want to do keysigning with at least three other people. I
know there'll be more than that at the pre-OSCON meeting on Sunday, so
that's probably the best time to do it.

Okay, so, things to take from this email:
* Keysigning and OpenPGP is cool
* You should go generate an RSA OpenPGP key now using the instructions
* If you're coming to OSCON, get your fingerprint, email it to me, and
write it down and bring it with you.
* If you're in San Jose and have recommendations for food places near
the convention center, please please let us know :)

~ Robert

Robert Wall <robertlikesturtles at gmail.com>
OpenPGP key: 0x0CBC1491 | see http://rww.name/rsaswitch.txt
Webpage: http://rww.name/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-us-ca/attachments/20090717/44e9823c/attachment.pgp>

More information about the Ubuntu-us-ca mailing list