7th International Linux-Kongress · 20.-22.9.2000 · Erlangen/Germany
Key Signing Party
We will be holding a PGP Key signing party at Linux Kongress 2000.
We have been scheduled to meet at 18:00 on Thursday, September 21, 2000.
The procedure we will use is the following.
- People who wish to participate should email an ASCII extract of their
PGP public key to <firstname.lastname@example.org> by Wednesday, September 13, 2000.
Please include a subject line of "LK 2000 PGP KEY", and please
avoid MIME attachments in your e-mail. (I will be running the pine
mail folder through pgp, and PGP keys that are MIME encoded will get
ignored unless I take manual action to fix things, which I may do
but make no guarantees.)
The method of generating the ASCII extract is:
pgp -kxa my_email_address mykey.asc (pgp 2.6.2)
pgpk -xa my_email_address > mykey.asc (pgp 5.x)
gpg --export -a my_email_address > mykey.asc (gpg)
- By Friday, September 15, you will be able to fetch both the complete
keyring with all the keys that were submitted along with a text file
giving the fingerprint of each key on the ring. These files are here:
These are the corrected files (The files available on Friday morning
had some messed up fingerprints)
Take care to use a binary download mode or get the files as a tarball:
- At home, verify that the fingerprint of your key in lk2000.txt is correct.
Also compute the MD5 hash of lk2000.txt. One way to do
this is with md5sum invoked as follows:
% md5sum lk2000.txt
Just to be sure that you have no problems with the download, here is
the MD5 hash as we have calculated it:
MD5 = 9D 62 8E 0E 50 38 8A 49 20 30 01 47 A1 FF 54 7A
Note, that this is just a hint - you must do the check yourself.
- At the conference, come with the hash you computed and a hardcopy
- A reader at the front of the room will recite the MD5 hashes of
lk2000.txt. Verify that the hash recited matches what you computed.
This guarantees that all participants are working from the same list
- In turn, each participant will stand and acknowledge that the fingerprint
of his or her key listed is correct. Mark the key verified on your
- Later that evening, or perhaps when you get home, you can sign the
keys corresponding to the fingerprints which you were able to verify
on the hardcopy; note that it is advisable that you only sign keys of
people when you have personal knowledge that the person who stood up
during the reading of his/her fingerprint really is the person which
he/she claimed to be.
- Submit the keys you have signed to the PGP keyservers. A good one to
use is the one at MIT: simply send mail containing the ascii armored
version of your PGP public key to <email@example.com>.
Note that you don't have to have a laptop with you; if you don't have
any locally trusted computing resources during the key signing party,
you can make notes on the hardcopy, and then take the hardcopy home and
sign the keys later.