LCA2004 Keysigning Procedure

This document is divided into three sections:
Before the keysigning - things you have to do before you turn up.
At the keysigning - the procedure we'll be using is a bit unusual, read this so you don't feel lost.
After the party - what to do when you get home and start signing keys.

Before the keysigning:

  gpg --export -a keyid | mail -s "LCA2004 keysigning" lca2004-keys@linuxsa.org.au

by no later than midnight EDST Monday 5th Jan 2004 (ie: a week before the Miniconfs start). All keys will need to be compiled into a master keyring and a list generated before the event, so if you don't get your key in by then, bad luck. No late entries will be accepted, although you are still welcome to attend the keysigning to sign other keys or do 1:1 signings. You have been warned!

Note that 'keyid' here and for the rest of the document refers to your key ID, usually a hexadecimal number like '64011A8B' or just an email address or username like 'jon@debian.org' or 'jon'. The above command will output an ASCII-armoured copy of your public key and mail it to the keysigning organisers.

1.5: The keysigning organisers will collate a big list of keys and details sent in from all the participants and publish the list on this page on Tuesday Jan 6th, 2004 to give international delegates time to access it prior to departure. Along with the list will be a gpg keyring of all the public keys of the attendees.

2: Grab the list and print it out. md5sum the list, too, and write that down (on the back of the list or somewhere you won't lose it).

At the keysigning:

In order to speed up the process we will be running the keysigning slightly differently than the way you may have done it before.

You will need to bring:

1. Yourself
2. 2 forms of photo ID, at least one of which is issued by the government, carrying the same name as on your key. Passports, drivers licenses, 18+ cards, etc, good examples. They must be READABLE!
3. A handful (say, 20 or so) of your key ID, key type, fingerprint, and key size printed out on paper. Running:

     gpg --fingerprint keyid | lpr

   should suffice for this.

4. A pen or pencil. Don't forget this!
5. The list you printed out above, and the md5sum. Lists will be available at the event itself, but you're too paranoid to trust that the organisers haven't sabotaged all the keys, right?

The procedure will run as follows:

1. At the keysigning, the md5sum of the list will be displayed, and everyone will be asked to confirm that the md5sum as displayed is the same as the md5sum for the list you downloaded. If it matches, you know the list you have was not tampered with, and that everyone is reading from an identical list.
2. Check your own entry on the list, verifying that your details (particularly the fingerprint) are correct.
3. Each participant will be called upon in turn to come to the front of the theatre, and state that their details on the list are correct. Participants should note down any people who state their details are not correct.

   Place a tick next to their name if their details are correct.

4. They will also place their 2 forms of ID in front of a video camera, which will project their ID and their face for all to see (clearly, we hope!). The organisers will also check their ID close up. Participants should note down any people who do not pass the ID check.

   Place a second tick next to their name if you feel that their ID is sufficient.

5. Once the ID check is complete, people are free to mingle, discuss PKI and so forth, and engage in smaller keysigning rituals with those people who turned up on the day without registering their key with the organisers. The handful of fingerprints you brought with you will be useful here. People are encouraged to get paranoid and use Manoj's key signing protocol: http://people.debian.org/~jaqque/keysign.html

  gpg --import keyid.asc

This documentation was compiled by Jonathan Oxer, based on the Debian MiniConf2 Keysigning Procedure written by Jamie Wilkinson, Matt Hope and Jonathan Oxer.