Call for Papers
Works in Progress
LCA 2004 started at Wed Jan 14 08:00:00 2004.
LCA2004 Keysigning Procedure
Keysigning now closed: download keyring and keylist now
The final conference keyring and keylist have been generated, and no
more keys will be accepted. If you sent your key in for the keysigning,
you need to:
- Download the archive (lca2004keysigning.tar.gz)
- Uncompress and untar it (eg: 'tar zxf lca2004keysigning.tar.gz').
Inside it you'll find keylist.txt and keyring.asc, along with md5 and
- Print the keylist.txt file using a monospace font. You may need
to use a small font size or landscape layout to make it fit.
- Check the md5sum of keylist.txt (eg: 'md5sum keylist.txt') and
write it down on your hard copy. It should be
- Physically sign your hard copy of the list so you know it's
yours, and no-one can substitute a bogus copy on the day.
- Come to LCA, and bring your photo ID and a pen!
This procedure is provided as a guide to how the keysigning will be
run at LCA2004.
These instructions assume you are running GnuPG directly
from the command line--if you are using a GUI such as GPGP please
consult the documentation of your software for equivalent commands.
Other documentation you might find useful:
This document is divided into three sections:
Before the keysigning - things you have to do before you turn up.
At the keysigning - the procedure we'll be using is a bit unusual, read this so you don't feel lost.
After the party - what to do when you get home and start signing keys.
Before the keysigning:
1: Send your key details to email@example.com, like so:
gpg --export -a keyid | mail -s "LCA2004 keysigning" firstname.lastname@example.org
by no later than midnight EDST Monday 5th Jan 2004 (ie: a week before the
Miniconfs start). All keys will need to be compiled into a master keyring
and a list generated before the event, so if you don't get your key in by
then, bad luck. No late entries will be accepted, although you are still
welcome to attend the keysigning to sign other keys or do 1:1 signings. You
have been warned!
Note that 'keyid' here and for the rest of the document refers to your key ID,
usually a hexadecimal number like '64011A8B' or just an email address
or username like 'email@example.com' or 'jon'. The above command will
output an ASCII-armoured copy of your public key and mail it to the
1.5: The keysigning organisers will collate a big list of keys
and details sent in from all the participants and publish the list on this
page on Tuesday Jan 6th, 2004 to give international delegates time to access
it prior to departure. Along with the list will be a gpg keyring of all the
public keys of the attendees.
2: Grab the list and print it out. md5sum the list, too, and write that down (on
the back of the list or somewhere you won't lose it).
At the keysigning:
In order to speed up the process we will be running the
keysigning slightly differently than the way you may have done it
You will need to bring:
- 2 forms of photo ID, at least one of which is issued by the
government, carrying the same name as on your key.
Passports, drivers licenses, 18+ cards, etc, good examples. They must
- A handful (say, 20 or so) of your key ID, key type, fingerprint,
and key size printed out on paper. Running:
gpg --fingerprint keyid | lpr
should suffice for this.
- A pen or pencil. Don't forget this!
- The list you printed out above, and the md5sum. Lists will be
available at the event itself, but you're too paranoid to trust that
the organisers haven't sabotaged all the keys, right?
The procedure will run as follows:
- At the keysigning, the md5sum of the list will be displayed, and
everyone will be asked to confirm that the md5sum as displayed is the same as
the md5sum for the list you downloaded. If it matches, you know the list you
have was not tampered with, and that everyone is reading from an identical
- Check your own entry on the list, verifying that your details
(particularly the fingerprint) are correct.
- Each participant will be called upon in turn to come to the front of the
theatre, and state that their details on the list are correct. Participants
should note down any people who state their details are not correct.
Place a tick next to their name if their details are correct.
- They will also place their 2 forms of ID in front of a video camera, which will
project their ID and their face for all to see (clearly, we hope!). The organisers
will also check their ID close up. Participants should note down any
people who do not pass the ID check.
Place a second tick next to their name if you feel that their ID
- Once the ID check is complete, people are free to mingle, discuss
PKI and so forth, and engage in smaller keysigning rituals with those
people who turned up on the day without registering their key with the
organisers. The handful of fingerprints you brought with you will be
useful here. People are encouraged to get paranoid and use Manoj's
key signing protocol: http://people.debian.org/~jaqque/keysign.html
After the party:
- Participants may now take their lists home, and download the
keyring of all keys on the list if they haven't done so already. The
keyring will be md5summed before the keysigning and that value displayed
on the list. In their own time (i.e. maybe up to a week later, once they
get home from the conference) participants may sign all keys for which they are
satisfied that the person passed their ID check and that the key on
the list is theirs.
- Fire up your computer running GPG, and get out your key list from
the party. At this point, most of the people on your list should
have 2 ticks next to their name. You can now sign those keys.
- Public keys of every participant will be made available with the
list, which you can import into your local gpg keyring by:
gpg --import lca2004-keyring.gpg
- Fingerprint each key in turn:
gpg --fingerprint keyid
where keyid now refers to some unique part of the person's key
that you are signing, whether it be Key ID or email address.
This will give you a fingerprint that you need to verify against
the one printed on your list of keys from the keysigning party.
If it doesn't match, DON'T SIGN IT!
- Now the moment of truth, you can actually sign the key:
gpg --sign-key keyid
- Once keys are signed, it is a good idea to mail the signed key to
the owner of that key personally, rather than uploading it to a
Export the key to ASCII, using
gpg --export -a keyid > keyid.asc
and send a signed, encrypted mail to that person with their ASCII
armoured key as an attachment. This way the recipient must be in
control of the private key in order to decrypt the key with your
signature, and they themselves will merge it into their own key and
upload it to a keyserver if they so desire. You shouldn't upload a
key to a keyserver if it wasn't there to begin with, so let the owner
of the key decide where they wish to publish it.
- Repeat steps 4 to 6 until all the keys you wish to sign are signed
and sent to their owners.
About this time, you'll start to get emails back from other people who
were at the party who have signed your key. When you receive a signed
key from a participant of the keysigning, enter your passphrase to
decrypt the message, verify the signature is correct, save the
attachment, and import it into your own key using
gpg --import keyid.asc
You'll then have a whole lot more signatures on your key, which was,
after all, the whole point of the exercise! ;-)
This documentation was compiled by Jonathan Oxer, based on the
Debian MiniConf2 Keysigning Procedure
written by Jamie Wilkinson, Matt Hope and Jonathan Oxer.