NUCCC 2003 - Nordic University Computer Club Conference
The key signing party at NUCCC 2003.
This information on this page rudely copy-pasted from the last year ;) Thanks for the original writer.
What are GPG keys (and why do we sign them)?
GPG keys are cryptographically strong tokens consisting of two parts: a private and a public part. If you know somebody's public key, you can encrypt data and send it to them, and it is impossible (or rather, really, really hard) to decrypt it without the correct private key. Using your private key, you can sign a document by generating a hash of the document's data and encrypting it with your private key. Decrypting it with your public key shows that whoever signed the document had access to the private key, and proves that the document isn't changed.
So, the keys are tokens which you can use to ensure secure communication where you can be sure of who you are talking to, they can be sure that it's you who is talking and you can't say I didn't say that.
So, what is this signing business? Anybody can generate a key pair with any name on it. So you can't trust my key just because it has my name on it. To actually confirm that it's my key, you have to verify that it's my key by talking to me through some other channel. Usually, this is done by meeting, showing each other ids and then signing the keys. This allows a third party to decide that he trusts your signature (since you have exchanged signatures with him) and thereby communicate with me, securely. This is called the web of trust and doing cross-signatures makes the web tighter and more secure.
What to do before NUCCC 2003 if you wish to participate in the key
Send your key details (key id, key type, fingerprint and key size) to email@example.com. Do this as soon as possible.
What you need to bring:
- yourself, in person (no keysigning via proxy, phone or other non-face-to-face methods.
- picture id, issued by a governemental body. Driver's license, passport or similar would be fine.
- key id, key type, fingerprint and key size. It's not enough just to have the fingerprint since two keys with different sizes might have the same fingerprints.
Once at the key signing party, everybody will get a sheet of paper with all the key details on it. Be sure to check that your own information matches.
The paper will have two columns for check marks -- one called "Key Info Matches" and one called "Owner ID Matches". One by one, everybody is to read out their key information and everybody checks that it matches. If it does, check it. Then we form a line, and one by one, everybody passes through it, having their ID checked and if the ID matches, a checkmark in the right column. Once the first person is at the beginning of the line, everybody has had their ID checked and you can carry the sheet home and sign the ids. Then you upload the signed public keys to a keyserver with "gpg --keyserver wwwkeys.pgp.net --send-keys 0x$keyid" and download your signed keys with "gpg --keyserver wwwkeys.pgp.net --recv-keys 0x$keyid"
Some links which may be helpful are:
http://www.herrons.com/kb2nsx/keysign.html - Short explanation of how to arrange a key signing party.
http://www.cryptnet.net/fdp/crypto/gpg-party.html - Explains everything that needs to be done, step by step.
Mail questions to firstname.lastname@example.org.