Open Source Developers Conference 2007
Main Event Website: www.osdc.com.au
Keysigning Date / Time: 2007-11-27 18:00:00
Keysigning Organiser: Jonathan Oxer <firstname.lastname@example.org>
Open Source Developers Conference 2007 will bring together Open Source developers from around Australia.
This keysigning will use the 'Ad-Hoc' method, which is best suited to small groups.
To participate in the OSDC 2007 keysigning you will need to output your key fingerprint and print out a number of copies:
gpg --fingerprint KeyID (where KeyID is actually your unique key ID). You will need to give one copy to everyone who signs your key, so copy and paste it maybe 20 times, print it out and cut the pages into strips.
What To Bring
- The printouts of your key fingerprint.
- Photo ID: a drivers licence, a passport, etc. Ideally 2 forms of government issued photo ID should be brought, but failing that just bring whatever you have (student cards, etc).
- A pen. Don't forget this or you'll be sorry!
- (optional) An envelope for collecting fingerprint slips.
Note that you do not need a computer with you at the keysigning. As long as you have the first three items listed above you'll be set.
At The Event
Keysignings can be very confusing unless you know exactly what's going on, so the event organiser will need to direct proceedings very carefully and tell everyone what to do every step of the way. This guide will give you an idea of what is likely to happen so you don't feel totally lost but the organiser may choose to do things slightly differently.
You will need to meet up face to face with every other participant to receive their key fingerprint and examine their ID, and to give them your key fingerprint and have them examine your ID. The keysigning organiser will provide direction about exactly how this is to happen. With large groups it can become very chaotic as the number of possible relationships increases quadratically with the number of participants. To keep things orderly the organiser will probably have everyone stand in a long line and then have the line fold back on itself, allowing every person to pass by every other person in turn.
As you meet up with each person they will give you a printout of their key fingerprint and show you their ID. Examine their ID, and if you are convinced that the person standing in front of you is actually who they say they are then write 'ID OK' on their key fingerprint and initial it to prevent tampering. You then keep their key fingerprint in a safe place for later reference after the event has finished.
Note that you are under no obligation whatsoever to sign any particular key, and you should only do so if you are convinced their identity is correct and that the key fingerprint really belongs to them. Do not allow yourself to be pressured into signing a key you are not comfortable with. The usual standard is to require 2 forms of government-issued photo ID such as a drivers licence and a passport, but in many cases participants will not have this and will only have one form of photo ID plus random other items such as student cards and credit cards. In that situation you should use your discretion.
Under no circumstances should you accept the fingerprint of a person who is not physically present. The whole point of a keysigning is to verify that the fingerprint presented belongs to a specific person.
Note also that a keysigning event is not a popularity contest: whether you sign a key or not should have nothing to do with whether you like or dislike a person. A keysigning is about proving identity - nothing more, nothing less.
After The Event
Once it's all over you'll end up with a little pile of pieces of paper, each with a key fingerprint on it plus your handwriten note telling you that the person's ID checked out and you're happy with their claim to be who they say they are.
The next thing to do is work through the pile and process each one in turn.
- Find the key ID on the fingerprint. The fingerprint will have an 8-character ID listed after the key size. Typically it looks like this: '1024D/64011A8B'. The actual ID portion is the '64011A8B'. You'll notice this is also the last 8 characters of the fingerprint itself.
- Fetch the public key using the key ID. If you're running GnuPG on the command line, you can do this by typing 'gpg --recv-keys KeyID' (where KeyID is obviously the ID of the key you want).
- Check that the fingerprint of the key you've just fetched matches the fingerprint on the slip of paper: run 'gpg --fingerprint KeyID' and compare it with the hard copy in front of you.
- If (and only if) you are happy that the fingerprints match and the person showed you sufficient ID, you can do the actual 'signing' part of the process: type 'gpg --sign-key KeyID' and answer the questions it asks.
- Next you need to send the signed copy of their key back to them. There are two basic ways to do this: to email the key directly to them, or to upload it to a public keyserver. Many people prefer to receive their keys back by email so it's courteous to do this unless they've said they don't mind the key being uploaded to a public server. On a typical Linux system you can export the key and send it back to the user by typing: 'gpg --export -a KeyID | mail -s "Your signed key" email@example.com', where 'firstname.lastname@example.org' is their email address.
That's it! Repeat the above sequence for each key you wish to sign and you're done.
During this time you will probably also be receiving emails from people telling you they've signed your key, probably with the key attached. If you save the attachment to disk you can then import it into GnuPG, and the new signature will be merged onto your key. After saving the file type 'gpg --import mykey.asc' to import it into your keyring.
You may find that some people upload your key to a keyserver rather than sending it back to you directly: periodically run 'gpg --recv-keys KeyID' with your own key ID to fetch any signatures that have been added.
Likewise you may want to upload the latest signatures on your key to a public keyserver: type 'gpg --send-keys KeyID' to upload your latest signatures.
While it's not essential, it would also be nice if you could submit your public key to our system so that we can see who attended and generate some pretty graphs showing which keys have been signed. The simplest way to do this is to export your public key in ascii-armored format and email it to 'email@example.com'. On a typical Linux system you can do this by typing:
gpg --export -a KeyID | mail -s "keysigning" firstname.lastname@example.org
where KeyID is actually your unique key ID.