PGP Keysigning Party - APRICOT 99, Singapore, March 1-5 1999 - NZNOG

16 Feb 1999

      APRICOT 99, Singapore, March 1-5 1999
                      PGP Keysigning Party

As at most IETF meeting and other regular networking events with
sufficient participants, we will be holding a PGP keysigning
party during this March's APRICOT/ICANN/APNG/APNIC Meetings &
Singapore Linux Conference in Singapore.

Quick Facts:
============
Key Submission:

Deadline:   All keys must be received in the submission email
            box by Wednesday, 3 March 1999, 18:00 (Singapore
            Time !)

Submission  pgp(a)apricot.net
email
address:

Subject:    APRICOT PGP KEY

Format:     Please send your key as normal ASCII text. The keys
            should NOT be sent as attachments or in
            any proprietary format (like eg MS Word etc).

PGP Formats PGP 2.6 (RSA) and PGP5 (RSA and D/H)
Supported

            Note: Keys sent to any other address or
            sent with a different subject may not be
            included in the official Apricot 99 PGP
                                            keyring!

Event details:

Date:		Thursday, 4 March 1999

Time:		18:00 - 19:30

Venue:	Suntec City Convention City
		Room MR203 (Level 2)
Status:	BOF (Birds of a Feather ...)
		(ie *all* are welcome, as long as your key has been received
		on time. No APRICOT/SLC etc registration required !)

            Please check the APRICOT Notice board
            for any changes in Room and Time !

Instructions for Participants:
==============================

1. Who should attend
	1. All people who have a PGP key
	The PGP Keysigning Party will enable you to obtain
	additional signatures (among others by noted net-
	personalities) for your PGP key.

	2. All people who have just started to use PGP
	If you just started using PGP, It is unlikely that your key
	has been signed by (m)any other PGP users so far. To ensure
	that your key is trusted by the majority of the PGP users
	all over the world, you will be interested to have well-
	known net-personalities (and other people) sign your key.

	3. Those who do not have a PGP key yet
	You will need to:
		1.   read up on PGP itself
		2.   create your own PGP key
	to attend the keysigning party

	4. Organizations
	Many organizations use PGP to sign official announcements
	etc. Usually these organizations publish their PGP key on
	the web. As additional security, you may want your key to be
	signed by other trusted

2. Preparation

	- extract your public key using one of the following commands
	(depending on your PGP version):
		-UNIX PGP 2.6*           $ pgp -kxa <your PGP userid>
		-UNIX PGP 5.*            $ pgpk -xa <your PGP userid>
		-Win95 or other GUI      Use the export function to export your
		 implementation          key to a text file

	For more details on the PGP commands refer to the PGP manual

	- send in your PGP public key.
  	(the PUBLIC KEY!!! Never give out your PRIVATE key to
  	anyone!!) to the submission email address listed above.
  	Please do NOT send the key as an attachment or in any other
  	format but ASCII ARMORED TEXT! You could cut and paste the
  	ascii armored PGP key into the email body if necessary!

	- write down (print out) your own public key's fingerprint and
	the Key ID.
	Under UNIX, you can obtain the key ID and fingerprint using these commands:

		-UNIX PGP 2.6*                  $pgp -kvc <your PGP userid>
		-UNIX PGP 5.*                   $ pgpk -ll <your PGP userid>
		-Win95 or other GUI             Check the Key Properties (in
		 implementation                 PGPkeys)

	Here is an example of a PGP key ID and fingerprint extracted
  	under UNIX (PGP 5.0i):
  		Note: This also lists the signatures on this key, but we
  		need only the first few lines (marked with **):

  	$ pgpk -ll mathias
  	Type Bits KeyID Created Expires Algorithm Use
**  	sec+ 768 0x25E082BD 1995-11-15 ---------- RSA Sign & Encrypt
**  	f16 Fingerprint16 = 1A 8B FC D4 93 F1 9A FC BD 98 A3 1A 0E 73 01 65
	uid Mathias Koerber 
  	SIG 0x25E082BD 1996-08-22 Mathias Koerber 
  	uid Mathias Koerber 
  	sig 0x101E3A11 1998-02-23 Alfonso B. Carandang 
  	SIG 0x25E082BD 1996-06-09 Mathias Koerber 
  	uid mathias(a)singapura.singnet.com.sg
  	SIG 0x25E082BD 1995-11-17 Mathias Koerber 
  	uid Mathias Koerber 
  	SIG 0x25E082BD 1995-11-16 Mathias Koerber 
  	uid Mathias Koerber 
  	sig 0x3022C951 1995-12-18 William Allen Simpson

  	sig? 0x0DBF906D 1996-03-09 (Unknown signator, can't be checked)
  	sig? 0x579532CD 1995-12-08 (Unknown signator, can't be checked)
  	sig? 0x7B7AE5E1 1995-12-18 (Unknown signator, can't be checked)
  	sig 0x76875905 1995-12-10 Angelos D. Keromytis 
  	sig 0x466B4289 1995-12-07 Theodore Ts'o [SIGNATURE] 
  	SIG 0x25E082BD 1995-11-15 Mathias Koerber 
  	uid Mathias Koerber 

  	SIG 0x25E082BD 1995-11-15 Mathias Koerber 

3. At APRICOT, before the PGP keysigning Party
  	- periodically check the noticeboard, where the list of keys
  	submitted for the PGP keysigning party will be posted. Your
  	key must be submitted by the deadline to be called during
  	the keysigning party and included in the official APRICOT
  	PGP keyring. If you submitted your key, and it does not
  	appear on the list, please submit it again before the
  	deadline!

4. At the PGP Keysigning Party itself
  	- Bring along proper PHOTO identification
     	For other participants to sign your PGP key (which is
     	the whole aim of this event), they must be able to
     	verify that the key belongs to you and that you really
     	are who you claim to be.

  	- if you submitted a PGP key for your organization, please
  	bring along identification which proves that you are indeed
  	representing that organization
       ·    letter by the president/management etc on their stationery
	 ·    namecard
	 ·    company pass etc

	- obtain the list of submitted keys (this will be provided
  	as a printout at the beginning of the party).

  	- check that YOUR OWN public key is listed on the printout,
  	and check its PGP KEY FINGERPRINT. Check it carefully. The
  	fingerprint must match in *every* character

Procedure
=========
  	- During the party, we will one by one read out aloud each
  	PGP key submitted including the KeyID, the attached userIDs
  	(names) and the Key Fingerprint. During this the owner of
  	the key will stand up to be recognized by the crowd.
  		(We may need each key-owner to read their own Key
  		fingerprint etc, unless we manage to rustle up a suitable
  		Voice program to automatically read the keys)

  	- During this, each participant should
     		1.   check that the userid, name, keyid and fingerprint match
       		what is printed on your printout
		2.   ensure that the person standing up acknowledges the key as
			his own
		3.   note which keys checked out ok and which ones haven't

	- After all keys have been read, you are encouraged to
     		1.   verify the owners' identities by checking their supporting
       		documents (Photo ID)
		2.   especially carefully verify the credentials for those who
			want an organization's key signed.

5. After the PGP Keysigning Party

  	- obtain the official APRICOT 99 keyring from
  			http://www.koerber.org/apricot99/
     		This will be available sometime after the keysigning
     		party. A more detailed announement will be posted on
     		the APRICOT Notice Board. There will be 2 keyfiles, one
     		with only PGP2.6 keys, the other containg all (PGP2.6
     		and PGP5) keys

	- decide whose keys you would want to sign (using your notes
	made during the keysigning party)
	You should only sign keys if you have *very carefully*
	verified the key's integrity and the owner's supporting
	documents (passport etc). If there is any doubt as to a
	person's identity or ownership of a key, do NOT sign
	that person's key !!

  	- sign these people's keys with your own PGP PRIVATE KEY,
  	using your PGP software

  	- export/save the signed keys into ASCII files (see the PGP
  	manual)

  	- either send the signed public keys to the keys owner
  	(recommended) or to one of the public PGP keyservers.
	It is recommended that you send the key to the owner,
	so that they can decide themselves which signatures to
	send to the keyservers.

  	- If you had presented your own key, you may want to check
  	the public pgp keyservers periodically to see whether other
  	participants have sent in new signatures for your own key.
  	If so, you may want to obtain you own public key from the
  	server and add it (actually only the additional signatures)
  	to your own keyring. If another participant has sent you
  	your key with a new signature, you will want to add the new
  	signature to your own keyring, and then send the key to the
  	public PGP keyservers.

==========
Background
==========
What is PGP?
  PGP (Pretty Good Privacy) is a standard (and a program
  implementing that standard) providing strong authentication
  and encryption for email (and other networking applications
  such as internet phone) using a public key system.

Why is PGP important?
  From the PGP FAQ (http://www.at.pgp.net/pgpnet/pgp-faq/):

  	You should encrypt your e-mail for the same reason that you
  	don't write all of your correspondence on the back of a post
  	card. E-mail is actually far less secure than the postal
  	system. With the post office, you at least put your letter
  	inside an envelope to hide it from casual snooping. Take a
  	look at the header area of any e-mail message that you
  	receive and you will see that it has passed through a number
  	of nodes on its way to you. Every one of these nodes
  	presents the opportunity for snooping. Encryption in no way
  	should imply illegal activity. It is simply intended to keep
  	personal thoughts personal.
  Xenon  puts it like this:
  	Crime? If you are not a politician, research scientist,
  	investor, CEO, lawyer, celebrity, libertarian in a
  	repressive society, investor, or person having too much fun,
  	and you do not send e-mail about your private sex life,
  	financial/political/legal/scientific plans, or gossip then
  	maybe you don't need PGP, but at least realize that privacy
  	has nothing to do with crime and is in fact what keeps the
  	world from falling apart. Besides, PGP is FUN. You never had
  	a secret decoder ring? Boo!
      		           -Xenon (Copyright 1993, Xenon)

What is keysigning, and why is it important?
  Again, see the FAQ: http://www.at.pgp.net/pgpnet/pgp-faq/faq-06.html

What is a PGP Keysigning party?
  A PGP keysigning party is not a party in the sense of
  celebration. It is unlikely that alcohol will flow or hors
  d'oevres be passed out. As PGP uses a public key system, it
  usually is easy to obtain some person's public PGP key
  (which is required to securely converse with that person or
  to verify that person's authorship or identity). The usual
  method for this is to either ask the person directly for
  their PGP key. Another method is to request it from a public
  PGP keyserver, which is like a worldwide replicated
  directory of PGP public keys.

More info?
  You can find more information on PGP at these webpages:
  PGP Inc.: http://www.pgp.com
  PGP.net: http://www.pgp.net
  International PGP Homepage: http://www.ifi.uio.no/pgp/
  There is a PGP discussion newsgroup named comp.security.pgp
  and its FAQ:
     http://www.at.pgp.net/pgpnet/pgp-faq/
  There is a book on PGP published by O'Reilly & Associates:
     Simson Garfinkel: PGP: Pretty Good Privacy
     1st Edition December 1994
     1-56592-098-8, Order Number: 0988
     430 pages, $29.95
  see: http://www.oreilly.com/catalog/pgp/noframes.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
APRICOT (Asia & Pacific Rim Internet Conference on Operational Technologies)

                       Singapore March 1 - 5, 1999

-- The Annual ISP Operations and Business Summit in Asia and Pacific --

                         http://www.apricot.net

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~

---------
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog

PGP Keysigning Party - APRICOT 99, Singapore, March 1-5 1999

Barry Raveendran Greene

tags

participants (1)