From: Joe Abley Date: 21 June 2004 13:22:55 CEST To: ams-cctld@ws.edu.isoc.org Cc: Lucy E. Lynch , Bruce Campbell , Olaf Kolkman , John Crain Subject: PGP Key Signing at the ccTLD Workshop 2004 PGP Key Signing at ISOC ccTLD Workshop 2004, Amsterdam Useful links: ISOC ccTLD Workshop 2004 keyring: http://www.biglumber.com/x/web?keyring=5479 GNU Privacy Guard (free PGP software): http://www.gnupg.org/ PGP Frequently-Asked Questions (FAQ): http://www.pgp.net/pgp-faq/ Creating a PGP Key using GnuPG (GNU Privacy Guard): gpg --gen-key You can use defaults for most things. Use your personal e-mail address and your own name, not your organisation's name or address. When asked for the key size, it is ok to choose the maximum recommended size (e.g. 2048 bits). Select a passphrase that you can remember, and which other people can't guess. WHEN YOU GENERATE YOUR KEY, DO IT ON A TRUSTED COMPUTER! Use your laptop, or a computer in your home country which you are ssh'd into. Do not use the workshop FreeBSD machines! Adding your key to the Workshop Keyring: 1. Extract your public key using gpg -a --export 2. Go to and paste the public key into the form. Finding the fingerprint of your key: gpg --fingerprint For example: [jabley@snowfall]% gpg --fingerprint jabley@isc.org pub 1024D/E4DB44F2 2002-08-14 Joe Abley Key fingerprint = 9DC3 1ED0 F3DD 67A2 56D0 7521 FDFF 8F58 E4DB 44F2 uid Joe Abley sub 2048g/C2A8FC71 2002-08-14 [expires: 2005-10-19] [jabley@snowfall]% Key Signing Party: We will give you a list of fingerprints for everybody's key, on paper. 1. When we read out the fingerprint of your key, check it against the fingerprint of your key on your own computer, and tell everybody whether it is the same. 2. When we read out the fingerprint of someone else's key, check it against the list of fingerprints we gave you, and check that the person whose key it is has said "yes, it is correct". You can make notes on that piece of paper so that you know the fingerprint is accurate. 3. Check that the people who said "yes, it is correct" really are who they say they are! You can ask to see their passport if you don't know them already. Signing Other Peoples' Keys Download the keyring from and add it to the PGP keyring on your computer, like this: gpg --import Check the fingerprint of each key, with: gpg --fingerprint Check the fingerprint you just generated with the piece of paper. If they are the same, you know the key you downloaded is the right key. Sign the key, like this: gpg --sign-key When you have signed the key, you can extract the new key (with your signature on it). You can send that to the group, or at least to the owner of the key.