Outline

PGP/GPG Keysigning during Mini Debian Conference Japan 2016

A keysigning party or meeting is a get-together of at least two individuals who use the PGP encryption system with the purpose of allowing them to sign each others keys. Keysigning parties serve to extend the web of trust (WoT) to a great degree. And it’s a good opportunity to meet the developers in the keysigning party.

• Datetime & Venue
  • Date: December 10th, 2016
  • Time: TBD (Will be announced at the miniconf)
  • Venue: Cybozu, Inc.
    • Address: Tokyo Nihonbashi Tower, Nihonbashi 2-7-1 Chuo-ku, Tokyo, Japan
  • Keysigning Coordinator: Nobuhiro Iwamatsu / iwamatsu at debian.org

How to participate

Register your public key to the registration site no later than 23:59 (UTC+9) on Sunday December 4th 2016. Before registration, please confirm your ~/.gnupg/gpg.conf has the following setting:

digest-algo sha256
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Provide your ascii armored, cleaned, minimized and clear-signed public key by:

$ gpg --armor --export-options export-clean,export-minimal --export "Your Key ID" | gpg --local-user "Your Key ID" --clearsign

Your keys will be processed manually and if the submitted keys are valid, the key IDs will be listed at Participant List. If you find an error write immediately to Keysigning Coordinator. The registration is finished if you find your name in that list. If you don’t find your name in that list after 24 hours, and there’s no contact from Keysigning Coordinator, please write to Keysigning Coordinator.

Please use stronger PGP/GPG key to participate this event. It’s required to have at least 2048/RSA. Long time user maybe still uses 1024/DSA. Please make 2048/RSA or above before participate this keysigning party.

Coordinator will send out message after confirmed your key. If you find an error write immediately to coordinator. Participants and their keys are listed in Participant List, please confirm your key listed there.

Q and A

What is keysigning and why do it?

A keysigning party or meeting is a get-together of at least two individuals who use the PGP encryption system with the purpose of allowing them to sign each others keys. Keysigning parties serve to extend the web of trust (WoT) to a great degree.

How will the keysigning happen?

The keysignings will be based on the Efficient Group Key Signing Method by Len Sassaman and Phil Zimmermann which is a protocol to do keysignings in a way that is faster than the way many people may be familiar with.

How to generate the data for registration?

Please refer the following steps to generate the data of your PGP/GPG key for KSP registration of Mini Debian Conference Japan 2016 Keysigning Party

gpg --armor --export-options export-clean,export-minimal --export "Your Key ID" | gpg --local-user "Your Key ID" --clearsign

Please copy the ascii armored output of the above command, and paste to the registration page. Here is a sample of the output.

If you don’t have command line environment, please contact with the Keysigning Coordinator.

May I participate without submitting key?

It’s NOT RECOMMENDED to participate without submitting your key and having your name on the list. So if you want to participate, please finish submitting your key no later than 23:59 (UTC+9) on Sunday December 4th 2016.

If you missed the deadline, please bring paper slips or business cards with your name, email address and gpg fingerprint. Remember to bring enough copies of the paper slips or business cards, because you need to hand out one to everybody keysigning with. You can refer the Keysigning wiki to make the paper slips.

---

Procedure of the keysigning party

Verify your key fingerprint

On Monday December 5th 2016 you will be able to fetch the complete key list (hash code of the keyring, signature of Keysigning Coordinator) with all the keys that were submitted along with a text file (miniconf2016-ksp.txt) giving the fingerprint of each key on the ring.

Verify that the fingerprints of your keys in miniconf2016-ksp.txt are correct. Also compute the SHA256 hash of miniconf2016-ksp.txt. One way to do this is with sha256sum invoked as follows:

$ sha256sum miniconf2016-ksp.txt

You can also use gpg command:

$ gpg --print-md sha256 miniconf2016-ksp.txt

Bring to Keysigning Party the hash you computed and a hardcopy of miniconf2016-ksp.txt. It is very important that you have verified at home the fingerprints of your keys on the hardcopy. It is also very important that you have computed the hash at home.

What to bring with you to attend the keysigning party

• A printout of miniconf2016-ksp.txt; check that your name, email address and fingerprints are all correct.
• The SHA256 hash you made of miniconf2016-ksp.txt so that we can ensure we are all working with the same copy.
• Some form of government issued ID (passport or similar).
• A pen or a pencil.
• If this is your first keysigning, a copy of this web page and linked documents might be useful.

How to create a new GnuPG Key

• Please refer Creating a new GPG key.
• Please create a 4096-bit RSA Key.

Questions

If you have questions please send them to iwamatsu at debian.org.

---