For starters: people need to know explicitly what they need to bring to the meeting to be part of the keysigning. [Don't leave that to chance.]
On Tuesday, January 28, 2014 11:10:24 Joseph Apuzzo wrote: > It's a new year, 2014! Time to get your digital credentials in order! > We will be holding a key-signing party on the March 5, 2014 meeting ( our > anniversary meeting! ) > What is a key-signing party => > http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Broken link? [I get an "Unable to connect" response in Firefox.] > I suggest that you also look at this: > https://we.riseup.net/riseuplabs+paow/openpgp-best-practices pay special attention to the gpg.conf options "cert-digest-algo" and "default-preference-list", both of which need to be set /before/ making a new gpg key. > This is just to start the conversation and get everyone up to speed with > pub/private key pairs leading up to a key-signing ( web of trust ). Here I'm going to impart some other things I learned from the keysigning I was part of at DebConf10. There's a package in Debian and Ubuntu called "signing-party" which contains the 'caff' utility, which stands for "CA Fire and Forget". Debian makes use of this utility for signing keys after keysigning events. What this utility does is to make separate signatures on identities found in a key, and send those signatures via encrypted email to those identities. Thus, if Joe has three email addresses in his GPG key and I were to use caff to sign his key, then he'd get three encrypted emails, one per identity, signing each of those identities separately. It's a nice utility, but if you decide to use it there are two very important things you need to know: 1. Last I looked, caff doesn't use your normal ~/.gnupg/gpg.conf configuration; instead it uses ~/.caff/gnupghome/gpg.conf -- so you need to edit the latter file before using it. See /usr/share/doc/signing-party/caff/README.gpg-agent 2. caff expects to send email to an MTA on the local machine, and if one is not set up then the messages go into the bitbucket. If a local MTA is available but isn't configured to relay the mail to an external MTA, then the messages get stuck in the queue, eventually getting deleted without being sent. Ubuntu does not install an MTA by default. If you install the signing-party package, Ubuntu will install the 2nd most popular MTA, Postfix. http://www.securityspace.com/s_survey/data/man.201212/mxsurvey.html The install for Postfix will ask for the SMTP relayhost FQDN, but doesn't prompt for setting up relaying with authentication, which you'll likely need in order to get mail relayed to your chosen mail ISP. An example setup to relay local mail from Postfix to Gmail with authentication: https://rtcamp.com/tutorials/linux/ubuntu-postfix-gmail-smtp/ > Which I will most likely expand on as a lightning talk ( to promote the > key-signing PARTY! ) Let me know if you'd like some help concerning discussion about gpg-agent and pinentry clients. -- Chris -- Chris Knadle [email protected] _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) Vassar College Feb 5 - Nginx Mar 5 - March Meeting: 11th Anniversary Apr 2 - Google App Engine
