APRICOT 99, Singapore, March 1-5 1999
PGP Keysigning Party
As at most IETF meeting and other regular networking events with
sufficient participants, we will be holding a PGP keysigning
party during this March's APRICOT/ICANN/APNG/APNIC Meetings &
Singapore Linux Conference in Singapore.
Quick Facts:
============
Key Submission:
Deadline: All keys must be received in the submission email
box by Wednesday, 3 March 1999, 18:00 (Singapore
Time !)
Submission [EMAIL PROTECTED]
email
address:
Subject: APRICOT PGP KEY
Format: Please send your key as normal ASCII text. The keys
should NOT be sent as attachments or in
any proprietary format (like eg MS Word etc).
PGP Formats PGP 2.6 (RSA) and PGP5 (RSA and D/H)
Supported
Note: Keys sent to any other address or
sent with a different subject may not be
included in the official Apricot 99 PGP
keyring!
Event details:
Date: Thursday, 4 March 1999
Time: 18:00 - 19:30
Venue: Suntec City Convention City
Room MR203 (Level 2)
Status: BOF (Birds of a Feather ...)
(ie *all* are welcome, as long as your key has been received
on time. No APRICOT/SLC etc registration required !)
Please check the APRICOT Notice board
for any changes in Room and Time !
Instructions for Participants:
==============================
1. Who should attend
1. All people who have a PGP key
The PGP Keysigning Party will enable you to obtain
additional signatures (among others by noted net-
personalities) for your PGP key.
2. All people who have just started to use PGP
If you just started using PGP, It is unlikely that your key
has been signed by (m)any other PGP users so far. To ensure
that your key is trusted by the majority of the PGP users
all over the world, you will be interested to have well-
known net-personalities (and other people) sign your key.
3. Those who do not have a PGP key yet
You will need to:
1. read up on PGP itself
2. create your own PGP key
to attend the keysigning party
4. Organizations
Many organizations use PGP to sign official announcements
etc. Usually these organizations publish their PGP key on
the web. As additional security, you may want your key to be
signed by other trusted
2. Preparation
- extract your public key using one of the following commands
(depending on your PGP version):
-UNIX PGP 2.6* $ pgp -kxa <your PGP userid>
-UNIX PGP 5.* $ pgpk -xa <your PGP userid>
-Win95 or other GUI Use the export function to export your
implementation key to a text file
For more details on the PGP commands refer to the PGP manual
- send in your PGP public key.
(the PUBLIC KEY!!! Never give out your PRIVATE key to
anyone!!) to the submission email address listed above.
Please do NOT send the key as an attachment or in any other
format but ASCII ARMORED TEXT! You could cut and paste the
ascii armored PGP key into the email body if necessary!
- write down (print out) your own public key's fingerprint and
the Key ID.
Under UNIX, you can obtain the key ID and fingerprint using these commands:
-UNIX PGP 2.6* $pgp -kvc <your PGP userid>
-UNIX PGP 5.* $ pgpk -ll <your PGP userid>
-Win95 or other GUI Check the Key Properties (in
implementation PGPkeys)
Here is an example of a PGP key ID and fingerprint extracted
under UNIX (PGP 5.0i):
Note: This also lists the signatures on this key, but we
need only the first few lines (marked with **):
$ pgpk -ll mathias
Type Bits KeyID Created Expires Algorithm Use
** sec+ 768 0x25E082BD 1995-11-15 ---------- RSA Sign & Encrypt
** f16 Fingerprint16 = 1A 8B FC D4 93 F1 9A FC BD 98 A3 1A 0E 73 01 65
uid Mathias Koerber <[EMAIL PROTECTED]>
SIG 0x25E082BD 1996-08-22 Mathias Koerber <[EMAIL PROTECTED]>
uid Mathias Koerber <[EMAIL PROTECTED]>
sig 0x101E3A11 1998-02-23 Alfonso B. Carandang <[EMAIL PROTECTED]>
SIG 0x25E082BD 1996-06-09 Mathias Koerber <[EMAIL PROTECTED]>
uid [EMAIL PROTECTED]
SIG 0x25E082BD 1995-11-17 Mathias Koerber <[EMAIL PROTECTED]>
uid Mathias Koerber <[EMAIL PROTECTED]>
SIG 0x25E082BD 1995-11-16 Mathias Koerber <[EMAIL PROTECTED]>
uid Mathias Koerber <[EMAIL PROTECTED]>
sig 0x3022C951 1995-12-18 William Allen Simpson
<[EMAIL PROTECTED]>
sig? 0x0DBF906D 1996-03-09 (Unknown signator, can't be checked)
sig? 0x579532CD 1995-12-08 (Unknown signator, can't be checked)
sig? 0x7B7AE5E1 1995-12-18 (Unknown signator, can't be checked)
sig 0x76875905 1995-12-10 Angelos D. Keromytis <[EMAIL PROTECTED]>
sig 0x466B4289 1995-12-07 Theodore Ts'o [SIGNATURE] <[EMAIL PROTECTED]>
SIG 0x25E082BD 1995-11-15 Mathias Koerber <[EMAIL PROTECTED]>
uid Mathias Koerber <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
SIG 0x25E082BD 1995-11-15 Mathias Koerber <[EMAIL PROTECTED]>
3. At APRICOT, before the PGP keysigning Party
- periodically check the noticeboard, where the list of keys
submitted for the PGP keysigning party will be posted. Your
key must be submitted by the deadline to be called during
the keysigning party and included in the official APRICOT
PGP keyring. If you submitted your key, and it does not
appear on the list, please submit it again before the
deadline!
4. At the PGP Keysigning Party itself
- Bring along proper PHOTO identification
For other participants to sign your PGP key (which is
the whole aim of this event), they must be able to
verify that the key belongs to you and that you really
are who you claim to be.
- if you submitted a PGP key for your organization, please
bring along identification which proves that you are indeed
representing that organization
� letter by the president/management etc on their stationery
� namecard
� company pass etc
- obtain the list of submitted keys (this will be provided
as a printout at the beginning of the party).
- check that YOUR OWN public key is listed on the printout,
and check its PGP KEY FINGERPRINT. Check it carefully. The
fingerprint must match in *every* character
Procedure
=========
- During the party, we will one by one read out aloud each
PGP key submitted including the KeyID, the attached userIDs
(names) and the Key Fingerprint. During this the owner of
the key will stand up to be recognized by the crowd.
(We may need each key-owner to read their own Key
fingerprint etc, unless we manage to rustle up a suitable
Voice program to automatically read the keys)
- During this, each participant should
1. check that the userid, name, keyid and fingerprint match
what is printed on your printout
2. ensure that the person standing up acknowledges the key as
his own
3. note which keys checked out ok and which ones haven't
- After all keys have been read, you are encouraged to
1. verify the owners' identities by checking their supporting
documents (Photo ID)
2. especially carefully verify the credentials for those who
want an organization's key signed.
5. After the PGP Keysigning Party
- obtain the official APRICOT 99 keyring from
http://www.koerber.org/apricot99/
This will be available sometime after the keysigning
party. A more detailed announement will be posted on
the APRICOT Notice Board. There will be 2 keyfiles, one
with only PGP2.6 keys, the other containg all (PGP2.6
and PGP5) keys
- decide whose keys you would want to sign (using your notes
made during the keysigning party)
You should only sign keys if you have *very carefully*
verified the key's integrity and the owner's supporting
documents (passport etc). If there is any doubt as to a
person's identity or ownership of a key, do NOT sign
that person's key !!
- sign these people's keys with your own PGP PRIVATE KEY,
using your PGP software
- export/save the signed keys into ASCII files (see the PGP
manual)
- either send the signed public keys to the keys owner
(recommended) or to one of the public PGP keyservers.
It is recommended that you send the key to the owner,
so that they can decide themselves which signatures to
send to the keyservers.
- If you had presented your own key, you may want to check
the public pgp keyservers periodically to see whether other
participants have sent in new signatures for your own key.
If so, you may want to obtain you own public key from the
server and add it (actually only the additional signatures)
to your own keyring. If another participant has sent you
your key with a new signature, you will want to add the new
signature to your own keyring, and then send the key to the
public PGP keyservers.
==========
Background
==========
What is PGP?
PGP (Pretty Good Privacy) is a standard (and a program
implementing that standard) providing strong authentication
and encryption for email (and other networking applications
such as internet phone) using a public key system.
Why is PGP important?
From the PGP FAQ (http://www.at.pgp.net/pgpnet/pgp-faq/):
You should encrypt your e-mail for the same reason that you
don't write all of your correspondence on the back of a post
card. E-mail is actually far less secure than the postal
system. With the post office, you at least put your letter
inside an envelope to hide it from casual snooping. Take a
look at the header area of any e-mail message that you
receive and you will see that it has passed through a number
of nodes on its way to you. Every one of these nodes
presents the opportunity for snooping. Encryption in no way
should imply illegal activity. It is simply intended to keep
personal thoughts personal.
Xenon <[EMAIL PROTECTED]> puts it like this:
Crime? If you are not a politician, research scientist,
investor, CEO, lawyer, celebrity, libertarian in a
repressive society, investor, or person having too much fun,
and you do not send e-mail about your private sex life,
financial/political/legal/scientific plans, or gossip then
maybe you don't need PGP, but at least realize that privacy
has nothing to do with crime and is in fact what keeps the
world from falling apart. Besides, PGP is FUN. You never had
a secret decoder ring? Boo!
-Xenon (Copyright 1993, Xenon)
What is keysigning, and why is it important?
Again, see the FAQ: http://www.at.pgp.net/pgpnet/pgp-faq/faq-06.html
What is a PGP Keysigning party?
A PGP keysigning party is not a party in the sense of
celebration. It is unlikely that alcohol will flow or hors
d'oevres be passed out. As PGP uses a public key system, it
usually is easy to obtain some person's public PGP key
(which is required to securely converse with that person or
to verify that person's authorship or identity). The usual
method for this is to either ask the person directly for
their PGP key. Another method is to request it from a public
PGP keyserver, which is like a worldwide replicated
directory of PGP public keys.
More info?
You can find more information on PGP at these webpages:
PGP Inc.: http://www.pgp.com
PGP.net: http://www.pgp.net
International PGP Homepage: http://www.ifi.uio.no/pgp/
There is a PGP discussion newsgroup named comp.security.pgp
and its FAQ:
http://www.at.pgp.net/pgpnet/pgp-faq/
There is a book on PGP published by O'Reilly & Associates:
Simson Garfinkel: PGP: Pretty Good Privacy
1st Edition December 1994
1-56592-098-8, Order Number: 0988
430 pages, $29.95
see: http://www.oreilly.com/catalog/pgp/noframes.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
APRICOT (Asia & Pacific Rim Internet Conference on Operational Technologies)
Singapore March 1 - 5, 1999
-- The Annual ISP Operations and Business Summit in Asia and Pacific --
http://www.apricot.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
