OpenWest 2017 PGP Keysigning and CAcert Assurance Party

 

Basics
——

Where: OpenWest 2017 / Event Hall 2
When: Wednesday, July 13 @17:15
What: OpenWest PGP Keysigning Party

What is PGP keysigning?
———————–

A key signing party is a get-together of people who use the PGP encryption
system with the purpose of allowing those people to sign each others keys. Key
signing parties serve to extend the web of trust to a great degree. Key signing
parties also serve as great opportunities to discuss the political and social
issues surrounding strong cryptography, individual liberties, individual
sovereignty, and even implementing encryption technologies or perhaps future
work on free encryption software.

What is CAcert Assurance?
————————-
CAcert is a community-run SSL certificate authority. SSL certificates are
issued by CAcert assurers. To become a CAcert assurer, you need a certain
number of assurance points, which are automatically awarded based on who
and how many assurers assure you. The most important thing for CAcert is trust,
which is done by validating identity.

How do I prepare for the party?
——————————

For PGP:
——–
You will need to create a PGP key IN ADVANCE to participation at the party. You
can follow the instructions at https://www.madboa.com/geek/gpg-quickstart/ for
help in generating your key.

You MUST send your PGP key to “Aaron Toponce <aaron.toponce@gmail.com>” by no
later than [FIXME – 23:59 the day before the scheduled party]. Aaron has to
print out everyone’s public key information before the party, and may not have
access to a printer the day of the party.

Set the subject to “My PGP key” when sending your email. Aaron Toponce has set
email filters that will automatically send that email to a specific mailbox, so
all the keys can be properly collected, without going to SPAM, or some other
mailbox.

For CAcert:
———–
You must create an account at https://cacert.org. Make sure the information you
supply can be verified using your ID papers. Verify your account by following
the link in the email (beware of your spam folder). Download and print the CAP
(CAcert Assurance Program). You can download the CAP form at:

* Pre-filled with your details: https://cacert.org/wot.php. Pick one of the
WOT forms in the navigation, after you have logged in.
* Pre-filled with what your need at
https://wiki.cacert.org/FAQ/AssurancePrefilledForms
* Empty form: http://www.cacert.org/cap.php
* in other languages: http://www.cacert.org/cap.php?lang=de_DE – just
change de_DE to your country’s language code.

Blank forms will also be available at the party.

You will need two forms of photo identification. Please see the “Acceptable
Documents” page at https://wiki.cacert.org/AcceptableDocuments for what you can
and cannot use for valid identification.

What do I need to bring to the party?
————————————-

1. Physical attendance is mandatory.
2. Positive photo identification.
a. two forms of photo identification are recommended.
b. at least one form should be government issued (passport, driver license,
etc.).
3. A printout of your key ID, hex fingerprint, key size and key type.
a. Run “gpg -K –fingerprint <your email>” from the command line.
4. Something to write with.

If you bring a computer, please keep it in your bag and powered down during the
party. This is for security measures to prevent the spread of malicious
software, the misplacement of private keys, and damaged or misplaced equipment.

What happens at the party?
————————–

Aaron Toponce will be the party organizer, and will explain the method of the
keysigning procedure to the group. Basically, it will proceed as follows:

1. Aaron will call out those who have emailed their key, one-by-one.
2. The person called then reads off their PGP key information.
a. Everyone in the group verifies that the PGP key information is correct.
b. This continues until all people have been verified.
3. Everyone then forms two equal lines, facing each other.
a. PGP key information is identified.
b. Photo identification is verified.

What happens after the party?
—————————–

Note that all of this will be explained at the party. But you may choose to
familiarize yourself with the basic idea.

First, each person will get a piece of paper with the fingerprint of every key
that was sent to me, and some checkboxes next to each one.

Then, each person will read off their fingerprint from their own personal copy
of their fingerprint that they brought with them from their private key. As
they do this, each person will verify that the fingerprint on the list they
received is in fact valid.

We then get in a big “conga-line.” This involves splitting into two equal
lines, and having this lines face each other. You then verify the identity of
the person in front of you. This should include seeing official identification.
How much verification you need to state to the world you believe this person to
be the name on their key is up to you. It’s common to require two forms of ID
at least one of which is picture ID and one of which is government ID.

Once everyone is ready, everyone shifts down one and repeats the process. This
whole thing is repeated until everyone had verified everyone. Checkboxes will
be provided next to each key on your list to make it easy to keep track of who
you have verified.

That’s it! Feel free to stick around afterwards and chat with people.

Why hold PGP keysigning parties?
——————————

There are three primary reasons to hold as many key signing parties as you
possibly can.

First, and perhaps most importantly, you should hold as many key signing
parties as possible in order to expand the web of trust. The deeper and more
tightly inter-linked the web of trust is, the more difficult it is to defeat.
This is of special significance to the Free Software Community, for both
developers and users alike. Members of the community rely upon PGP technology
to cryptographically protect the integrity of their software packages, security
advisories, and announcements. The strength and robustness of the web of trust
is directly proportional to the strength of the protection PGP provides the
community from security threats such as trojan horses, malware, viruses, and
forged messages.

Second, key signing parties help others get integrated into the security
culture and encourage them to gain an understanding of PGP and related strong
cryptography technologies. In order to get the benefits of strong cryptography,
people must use strong cryptography, and use it properly. This requires a basic
understanding of the underlying technology. It can be difficult for people new
to computers and new to the free software culture to gain such an
understanding. Introducing people who lack knowledge and skills in cryptography
to individuals that have developed them can be very helpful to those trying to
learn. It provides a great deal of value and benefits everyone.

Finally, key signing parties help build communities. They help techies get
together to get to know each other, network, and discuss important issues like
civil liberties, cryptorights, and internet regulation. Discussion is important
because discussion is not only the first step, but also the step before action.
When I first wrote this document there were not very many complex webs of trust
in the world. Things have dramatically improved, with more plentiful webs that
are much deeper than they were a few years ago. However, it still remains the
case that if you work to build a web of trust in your local area, it is very
likely that the first participants in that web will be the leaders and policy
setters of the internet community in your area. They are the individuals who
can choose to build secure strong cryptographic technology and protocols into
the local infrastructure if they so choose. The integration of such technology
and protocols could make issues like the FBI’s carnivore system and the
National Security Agency’s illegal domestic surveillance technologically
infeasible and therefore moot.