Abstract:

PGP Key Signing

Majdi Abbas, Lattice, L.L.C.  

Sessions are going to be during the General Session breaks, June 4th through 6th.
Location: Lake Sammamish
Bring Photo ID
Paste Your Public Key Here

The PGP key signing parties at the NANOG 40 meeting in Bellevue will aim to meet three times:

All sessions will be in room Lake Sammamish. If you feel like coming to all sessions, then please feel free. If you would prefer to only come to one, there should be at least one person attending all sessions who is able to sign keys, so a path to trust keys signed at the other meeting should exist.

Stickers for Your Name Badge

When you stop by the registration desk, there will be coloured stickers available for your name tag that indicate if you have an interest in signing PGP keys. If people keep trying to peer with you, you've picked up the wrong colour sticker.

You do not have to attend a key signing party in order to sign keys! If you happen to be sitting next to someone with a PGP sticker on their badge, exchange keys and verify fingerprints with them. The more signatures you exchange with people, the more useful PGP will be to you.

The Day Before

You should get the following three steps done at least the day before you attend one of the key-signing parties. If you plan to attend multiple parties, you only have to follow these steps once.

  1. Generate a PGP Public/Private Key Pair. If you don't already have a public/private PGP key pair, you need to generate one. GnuPG users can type "gpg --gen-key".
  2. Extract your PGP Public Key. Again, refer to your PGP software's documentation for details; you are looking for a public key extracted in "ASCII-armoured" format. GnuPG users can type "gpg -a --export your-key-id".
  3. Add your Public Key to the NANOG 40 Key Ring. Do this by pasting the ASCII representation of the public key into this convenient form. You can also view all the other keys that have already been uploaded there.

Attending a Key-Signing Party

You should bring:

  1. Sufficient photo-id to convince others that you are who you claim to be (e.g. drivers licence, passport).
  2. A copy of your PGP public key fingerprint that you generated yourself, from a known-trusted copy of your key. GnuPG users can type "gpg --fingerprint your-key-id".
  3. A pen.

 

When you arrive:

  1. Pick up a copy of that day's NANOG 40 keyring printout from the pile. Locate your own key on the list.
  2. In turn, each of those attending the party introduce themselves by name, and indicate which key (or keys) on the list is theirs. They then read out their key fingerprint from their own trusted copy, and everybody verifies that this agrees with the fingerprint listed on the sheet.
  3. Once everybody has had a chance to read out their key fingerprints, people can proceed to introduce themselves to people they don't already know, and allow their identities to be verified (e.g. against photo id).

The Day After

At some point after the key signing party that you attend, you should sign the keys whose authenticity you were able to check. This strengthens the web of trust, and makes PGP more useful for you as a general-purpose tool.

  1. Retrieve the NANOG 40 keyring and import it into your own keyring. GnuPG users can type "gpg --import filename".
  2. Check the fingerprint on each of the keys that you checked against the list that you took home from the key signing party. GPG users can type "gpg --fingerprint key-id".
  3. If the fingerprints match, sign the key.
  4. E-mail a copy of the signed key back to the key's owner, or send the key with its new signature to a key server (or both, or whatever you normally like to do).

Bio:

Majdi S. Abbas is a founding member of Lattice, L.L.C., where he advises a variety of clients on aspects of network operations and architecture.

Previously, he was an operationally focused network engineer for an ASP and multiple ISPs.



Back to NANOG40 agenda topics