www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Hyde <bh...@pobox.com>
Subject How to get pgp keys signed
Date Mon, 13 Oct 2003 14:52:03 GMT
I assume that people more knowledgeable than I will critique this, but 
this works for me...


A conference provides a great opportunity to get your pgp key signed 
and to sign a the keys of others, but it is just somewhat easier to 
assert somebody's identity in person.

A little prep can make all the difference.  Before you go you should
  1) know how to find a key (at the MIT key server for example 
http://pgp.mit.edu/ ),
  2) you should have a passing familiarity with the software for 
manipulating keys (GPG probably),
  3) you should have a key,
  4) you should have printed up a few dozen scraps of paper with your 
key's fingerprint on it.
  5) you should be prepared to capture the fingerprint of other folks 
(who didn't come prepared with a scrap of paper)
      so you can sign their keys.

Step #4 is the important one.  That scrap of paper might look like this:

     pub  1024R/187BD68D 1997-09-30 Ben Hyde <bhyde@pobox.com>
           Key fingerprint = 90 AA 4C 16 6C 9D 12 DC  3D 8B 86 E5 0E 33 
CE 52

When you encounter folks who might sign your key offer them the scrap 
of paper with your finger print on it and ask for one in return.  
Always ask to see some official (picture, goverment, etc) ID.  You 
might be tempted to ask for official ID only when your less than 
absolutely certain that you know who your dealing with.  By always 
asking you both set a good precedent and you don't have to be admit 
when you are or entirely aren't certain about somebody's identity.  
That can be embarrassing.

Later, but soon, you should: (a) find their key, (b) sign it and (c) 
upload the result back to the key server you down loaded it from in 
step (a).  Your done, your cool.  With luck they will get around to 
signing your key at some point too.

Signing a key does not indicate that you "trust" the person.  It only 
indicates that you believe that key is associated with the correct 
person.  In fact it's valuable to the whole network of signatures if 
you sign the keys of members of other communities.  So signing the keys 
of near strangers is a good thing.  Just be confident of their identity.

Tricks for slightly improving the efficiency of this:

Since step #4 of the prep work is the important one you can get some 
mass production efficiencies.

I) Print the fingerprints of people you expect to encounter:

   It's a pain writing down a fingerprint by hand.   You can avoid that 
by printing up a sheet of paper with everybody you hope to meet's 
finger print on it.  When you meet them you can then check that they 
agree that's their fingerprint.  You then make a mark on your paper and 
do your signing later.

II) Make a handout with the fingerprints of attendees printed up on it:

Sometimes people will hand out a paper like that.  Do not sign all the 
keys on that paper.  You must assert each identity one at a time.

You don't need a conference to do this.

I carry a few of the #4 scraps of paper in my wallet, but I never 
remember to hand them to people when I meet them.  Some people are so 
cool they have the finger print printed on their business card; or 
stored in their PDA where they can beam it to folks.

To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

View raw message