Re: [vpp-dev] FD.io ARM virtual key signing Wed Mar 14 6am PST

[Tina Tsou]

Dear all,

Some folks missed today’s meeting, because only US changed to summer time first.

There will be another virtual key signing session next Wednesday 03/21, 6am 
California time. Same Zoom info.
https://wiki.fd.io/view/VPP/AArch64

https://zoom.us/j/5301185804


Thank you,
Tina Tsou
Enterprise Architect
Arm
tina.t...@arm.com<mailto:tina.t...@arm.com>
+1 (408)931-3833

From: vpp-dev@lists.fd.io [mailto:vpp-dev@lists.fd.io] On Behalf Of Edward 
Warnicke
Sent: Wednesday, March 14, 2018 5:03 AM
To: vpp-dev@lists.fd.io
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] FD.io ARM virtual key signing Wed Mar 14 6am PST

If you could reply to me privately with your:

(name, GPG fingerprint) that would greatly expedite the key signing today at 
6am PST.  Please note, I *will* have to verify your ID/fingerprint on the call, 
but having it in front of my as a reference helps tremendously expedite the 
process.

Ed
On Tue, Mar 13, 2018 at 11:23 AM Tina Tsou 
mailto:tina.t...@arm.com>> wrote:
Dear all,

If you wish to access Arm hardware in the community lab for FD.io<http://FD.io> 
work, please join tomorrow’s meeting, with your keys, IDs, webcams ready, you 
will be signed virtual key.

https://wiki.fd.io/view/VPP/AArch64


https://zoom.us/j/5301185804

More information how to get ready is below. Thanks Ed and Andy.


Thank you,
Tina

Begin forwarded message:
From: Ed Warnicke mailto:hagb...@gmail.com>>
Date: March 13, 2018 at 9:11:37 AM PDT
To: Andrew Grimberg 
mailto:agrimb...@linuxfoundation.org>>
Cc: Vanessa Valderrama 
mailto:vvalderr...@linuxfoundation.org>>, Tina 
Tsou mailto:tina.t...@arm.com>>,  Brian Brooks 
mailto:brian.bro...@arm.com>>,  Trishan de Lanerolle 
mailto:tdelanero...@linuxfoundation.org>>
Subject: Re: FD.io<http://FD.io> ARM virtual key signing Wed Mar 14 6am PST
Tina,

Have you prepped the folks for tomorrows ARM call so they show up with their 
keys ready, ids at hand, and webcams blazing? :)

Ed

On Thu, Mar 8, 2018 at 6:27 PM Andrew Grimberg 
mailto:agrimb...@linuxfoundation.org>> wrote:
On 03/07/2018 03:24 PM, Ed Warnicke wrote:
> Andy,
> As we discussed on IM, we need to do a virtual keysigning for the
> ARM subcommunity at FD.io<http://FD.io> so they can get VPN access to the new 
> ARM
> gear.  The current plan is to do that at 6am PST Wed Mar 14 on the 
> FD.io<http://FD.io>
> ARM community webconference:
>
> https://wiki.fd.io/view/VPP/AArch64#Meeting_Details
>
> Could you:
> a)  Provide a pointer to documentation of how to do so (how to prep etc)
> b)  If convenient, come to the keysigning... its just not a keysigning
> without you :)

Ok, I may (or may not) be able to attend due to timing constraints on
me. Feel free to send this mail on to whomever needs it.

First let me point everyone to an excellent series [0] our resident
security director has been writing on protecting code integrity using
PGP. He's (currently) up to 4 parts and it sounds like a 5th (and maybea
6th?) is in the offing. Which, given where the series is coming from is
likely true. The source document is here [1] if you want to read ahead ;)

That series basically goes over the intro to the PGP Web of Trust (WoT)
concepts and how to generate keys, move them to smart card devices (if
you so desire) and how to use them with git. For a more in depth look at
how the WoT actually functions see his much older article series (which
he sadly never finished for reasons) here [2].

With that out of the way I will now assume people have keys and are
ready to do a keysigning :) normally we do these sort of things in
person and there's a major lead time component / pre-documentation step
that is needed. However, virtual signings tend to be a little
moreloose, I know this because we do one anytime we hire a new
member of our systems administration, release engineering, or helpdesk
teams here at The Linux Foundation. The basics for a virtual signing are
as follows:

1) Have your key ready ;)

2) Have your key published to a key server that is part of the overall
keyserver mesh. No, having a key on keybase isn't the best as it doesn't
participate in the mesh. Having your key there is just useful for other
things :D

3) Have a form of valid identification:

a) Two forms of valid identification available (drivers license,
passport basically some method of getting to 100 points according to
this [3] Wikipedia article (yes that's information related to Australia
as they're the ones that came up with this very useful metric). I
normally use my current passport and drivers license.

b) Alternative to 100 points documents. Have someone that people trust
vouch for you. The problem here is that everyone would have to agree
that said party vouching for you is a good form of trust ;)

4) Have a webcam for your virtual signing. You cannot participate if
people cannot see you. 

Re: [vpp-dev] FD.io ARM virtual key signing Wed Mar 14 6am PST

[Edward Warnicke]

If you could reply to me privately with your:

(name, GPG fingerprint) that would greatly expedite the key signing today
at 6am PST.  Please note, I *will* have to verify your ID/fingerprint on
the call, but having it in front of my as a reference helps tremendously
expedite the process.

Ed

On Tue, Mar 13, 2018 at 11:23 AM Tina Tsou  wrote:

> Dear all,
>
> If you wish to access Arm hardware in the community lab for FD.io work,
> please join tomorrow’s meeting, with your keys, IDs, webcams ready, you
> will be signed virtual key.
>
> https://wiki.fd.io/view/VPP/AArch64
>
> https://zoom.us/j/5301185804
>
>
> More information how to get ready is below. Thanks Ed and Andy.
>
>
> Thank you,
> Tina
>
> Begin forwarded message:
>
> *From:* Ed Warnicke 
> *Date:* March 13, 2018 at 9:11:37 AM PDT
> *To:* Andrew Grimberg 
> *Cc:* Vanessa Valderrama , Tina Tsou <
> tina.t...@arm.com>,  Brian Brooks ,  Trishan de
> Lanerolle 
> *Subject:* *Re: FD.io  ARM virtual key signing Wed Mar 14
> 6am PST*
>
> Tina,
>
> Have you prepped the folks for tomorrows ARM call so they show up with
> their keys ready, ids at hand, and webcams blazing? :)
>
> Ed
>
> On Thu, Mar 8, 2018 at 6:27 PM Andrew Grimberg <
> agrimb...@linuxfoundation.org> wrote:
>
>> On 03/07/2018 03:24 PM, Ed Warnicke wrote:
>> > Andy,
>> > As we discussed on IM, we need to do a virtual keysigning for the
>> > ARM subcommunity at FD.io so they can get VPN access to the new ARM
>> > gear.  The current plan is to do that at 6am PST Wed Mar 14 on the
>> FD.io
>> > ARM community webconference:
>> >
>> > https://wiki.fd.io/view/VPP/AArch64#Meeting_Details
>> >
>> > Could you:
>> > a)  Provide a pointer to documentation of how to do so (how to prep etc)
>> > b)  If convenient, come to the keysigning... its just not a keysigning
>> > without you :)
>>
>> Ok, I may (or may not) be able to attend due to timing constraints on
>> me. Feel free to send this mail on to whomever needs it.
>>
>> First let me point everyone to an excellent series [0] our resident
>> security director has been writing on protecting code integrity using
>> PGP. He's (currently) up to 4 parts and it sounds like a 5th (and maybea
>> 6th?) is in the offing. Which, given where the series is coming from is
>> likely true. The source document is here [1] if you want to read ahead ;)
>>
>> That series basically goes over the intro to the PGP Web of Trust (WoT)
>> concepts and how to generate keys, move them to smart card devices (if
>> you so desire) and how to use them with git. For a more in depth look at
>> how the WoT actually functions see his much older article series (which
>> he sadly never finished for reasons) here [2].
>>
>> With that out of the way I will now assume people have keys and are
>> ready to do a keysigning :) normally we do these sort of things in
>> person and there's a major lead time component / pre-documentation step
>> that is needed. However, virtual signings tend to be a little
>> moreloose, I know this because we do one anytime we hire a new
>> member of our systems administration, release engineering, or helpdesk
>> teams here at The Linux Foundation. The basics for a virtual signing are
>> as follows:
>>
>> 1) Have your key ready ;)
>>
>> 2) Have your key published to a key server that is part of the overall
>> keyserver mesh. No, having a key on keybase isn't the best as it doesn't
>> participate in the mesh. Having your key there is just useful for other
>> things :D
>>
>> 3) Have a form of valid identification:
>>
>> a) Two forms of valid identification available (drivers license,
>> passport basically some method of getting to 100 points according to
>> this [3] Wikipedia article (yes that's information related to Australia
>> as they're the ones that came up with this very useful metric). I
>> normally use my current passport and drivers license.
>>
>> b) Alternative to 100 points documents. Have someone that people trust
>> vouch for you. The problem here is that everyone would have to agree
>> that said party vouching for you is a good form of trust ;)
>>
>> 4) Have a webcam for your virtual signing. You cannot participate if
>> people cannot see you. Yes, video feeds can be faked, but still, it's
>> required :P
>>
>> During your virtual signing
>> 5) Provide the short and/or full keygrip of your key into your video
>> conference chat channel (after all participants have joined)
>>
>> 6) Wait for everyone to retrieve the key(s) from the keyservers
>>
>> 7) For each person that is needing to have their key signed they will do
>> the following:
>>
>> a) State their full name (as on the key being signed)
>>
>> b) Provide to the camera their forms of identification that in some way
>> connect said name to said person and the key(s) in question. Give enough
>> time for participants to look over the material (15 - 30 seconds is
>> generally enough per article) Be willing to re-display if so asked.
>>
>> c) They will then _READ_ their entire 

[vpp-dev] FD.io ARM virtual key signing Wed Mar 14 6am PST

[Tina Tsou]

Dear all,

If you wish to access Arm hardware in the community lab for FD.io 
work, please join tomorrow’s meeting, with your keys, IDs, webcams ready, you 
will be signed virtual key.

https://wiki.fd.io/view/VPP/AArch64


https://zoom.us/j/5301185804

More information how to get ready is below. Thanks Ed and Andy.


Thank you,
Tina

Begin forwarded message:

From: Ed Warnicke mailto:hagb...@gmail.com>>
Date: March 13, 2018 at 9:11:37 AM PDT
To: Andrew Grimberg 
mailto:agrimb...@linuxfoundation.org>>
Cc: Vanessa Valderrama 
mailto:vvalderr...@linuxfoundation.org>>, Tina 
Tsou mailto:tina.t...@arm.com>>,  Brian Brooks 
mailto:brian.bro...@arm.com>>,  Trishan de Lanerolle 
mailto:tdelanero...@linuxfoundation.org>>
Subject: Re: FD.io ARM virtual key signing Wed Mar 14 6am PST

Tina,

Have you prepped the folks for tomorrows ARM call so they show up with their 
keys ready, ids at hand, and webcams blazing? :)

Ed

On Thu, Mar 8, 2018 at 6:27 PM Andrew Grimberg 
mailto:agrimb...@linuxfoundation.org>> wrote:
On 03/07/2018 03:24 PM, Ed Warnicke wrote:
> Andy,
> As we discussed on IM, we need to do a virtual keysigning for the
> ARM subcommunity at FD.io so they can get VPN access to the new 
> ARM
> gear.  The current plan is to do that at 6am PST Wed Mar 14 on the 
> FD.io
> ARM community webconference:
>
> https://wiki.fd.io/view/VPP/AArch64#Meeting_Details
>
> Could you:
> a)  Provide a pointer to documentation of how to do so (how to prep etc)
> b)  If convenient, come to the keysigning... its just not a keysigning
> without you :)

Ok, I may (or may not) be able to attend due to timing constraints on
me. Feel free to send this mail on to whomever needs it.

First let me point everyone to an excellent series [0] our resident
security director has been writing on protecting code integrity using
PGP. He's (currently) up to 4 parts and it sounds like a 5th (and maybea
6th?) is in the offing. Which, given where the series is coming from is
likely true. The source document is here [1] if you want to read ahead ;)

That series basically goes over the intro to the PGP Web of Trust (WoT)
concepts and how to generate keys, move them to smart card devices (if
you so desire) and how to use them with git. For a more in depth look at
how the WoT actually functions see his much older article series (which
he sadly never finished for reasons) here [2].

With that out of the way I will now assume people have keys and are
ready to do a keysigning :) normally we do these sort of things in
person and there's a major lead time component / pre-documentation step
that is needed. However, virtual signings tend to be a little
moreloose, I know this because we do one anytime we hire a new
member of our systems administration, release engineering, or helpdesk
teams here at The Linux Foundation. The basics for a virtual signing are
as follows:

1) Have your key ready ;)

2) Have your key published to a key server that is part of the overall
keyserver mesh. No, having a key on keybase isn't the best as it doesn't
participate in the mesh. Having your key there is just useful for other
things :D

3) Have a form of valid identification:

a) Two forms of valid identification available (drivers license,
passport basically some method of getting to 100 points according to
this [3] Wikipedia article (yes that's information related to Australia
as they're the ones that came up with this very useful metric). I
normally use my current passport and drivers license.

b) Alternative to 100 points documents. Have someone that people trust
vouch for you. The problem here is that everyone would have to agree
that said party vouching for you is a good form of trust ;)

4) Have a webcam for your virtual signing. You cannot participate if
people cannot see you. Yes, video feeds can be faked, but still, it's
required :P

During your virtual signing
5) Provide the short and/or full keygrip of your key into your video
conference chat channel (after all participants have joined)

6) Wait for everyone to retrieve the key(s) from the keyservers

7) For each person that is needing to have their key signed they will do
the following:

a) State their full name (as on the key being signed)

b) Provide to the camera their forms of identification that in some way
connect said name to said person and the key(s) in question. Give enough
time for participants to look over the material (15 - 30 seconds is
generally enough per article) Be willing to re-display if so asked.

c) They will then _READ_ their entire fingerprint that they have locally
and did not just download from the keyserver mesh. It's best if they can
do it phonetically ex:

My keygrip is 3360FFB703A9DA1F with a fingerprint of:
FA4D B93E B903 4BBF B853  2A26 3360 FFB7 03A9 DA1F

Obtained as follows from my GPG keyring:

gpg --fingerprint 
agrimb...@linuxfoundation.org

I would proceed to read that to