[PenLUG] GnuPG keysigning event, during Aug 26 meeting

Rick Moen rick@linuxmafia.com
Wed, 11 Aug 2004 00:07:25 -0700 

A couple of weeks ago, I said to Bill Ward that I'd be glad to do a
brief (about 15 minute) GnuPG aka gpg "keysigning" at the next meeting.
That suggests I ought to first explain what one is, and for whom it
would matter.

If you even _think_ you might be interested, please read on.


Bill had found himself wanting to get ssh access to a server activated,
but the sysadmin in charge wasn't willing to just accept Bill's SSH
public key via e-mail without some way of authenticating that the key
came from Bill.  The sysadmin said telephoning would have worked, except
that he wasn't sure he knew Bill's voice. 

This is an example of the need for GnuPG (short for GNU Privacy Guard),
an open-source reimplementation of the old PGP (Pretty Good Privacy)
program.  The sysadmin suggested that Bill sign his SSH key with his PGP
or GnuPG key, and mail him the signed copy -- except that the sysadmin 
had no way of knowing that Bill's GnuPG key was really Bill's, so the
same problem remained.  See the hang-up?


GnuPG, like PGP before it, addresses the twin (related) problems of
authentication and encryption.  In this case, Bill needed for the
sysadmin to be able to authenticate Bill's cryptographic keys -- to
verify that they're really his, and not some imposter's.  The mechanism 
GnuPG provides is _signing_.  There are records ("keyrings") both public
and less so of people having signed (and thus being willing to vouch
for) other people's keys.

Let's say that Les Kopari has, some time ago, signed Bill's GnuPG key
with his own key, and Les has sent his signature (which is itself a
crypographically calculated, binary record) to the public keyservers.
An example of a keyserver is http://www.us.pgp.net/ .  Ordinarily, you
would be able to type "Rick Moen" in the "Search for a key" field, pick
the "Show Signatures [yes]" radio button, and hit "Search" to bring up a
list of all recorded signatures of my key.  Unfortunately, the CGI
interface is down at the moment.  I've informed the guy who maintains
that Web server, and hope he'll fix it soon.  Meanwhile, there are
geekier ways to make your /usr/bin/gpg utility talk directly to
keyservers.  (You don't have to worry about that, right now.)

Let's say that I've signed Les's own GnuPG key, and likewise sent my
signature to the keyservers (a group of machines worldwide that share
data; talking to one is the same as talking to any other of them).
Let's say that Bill's sysadmin friend happens to have signed my key.

Thus, the sysadmin can (automatically) verify his signature of my
signature of Les's signature of Bill's key, and thus knows he can trust
that Bill's key is really his.  This concept is called the "web of trust",
and is in contrast to the "PKI" (Public Key Infrastructure) signing
model typified by, say, Web browsers, where the entire world is supposed
to collectively decide to trust a bunch of Certificate Authorities
(CAs), who in turn get paid to sign individual companies' (and
individuals') Web server site certificates.


For the web of trust to be usable, people have to get together (in a
physical location), and each participant in turn would show some
indication of that person's non-computer-world identities (a photo ID
will do), and read out a "hash" (checksum) of his/her GnuPG public key.
This would then permit other attendees to reasonably decide they're
willing to sign that person's key.

An event coordinator (me, in this case) would collect participants' 
public keys, prepare a paper sheet of those keys for participants'
convenience, and after the event receive and submit participants' 
signatures of one anothers' keys (again, strictly as a convenience).
It's possible to do this in a way so that nobody has to trust the
coordinator's integrity, described here in the GPG Keysigning Party
HOWTO:  http://www.cryptnet.net/fdp/crypto/gpg-party.html

You'll notice that the HOWTO includes a neat little Perl script to
generate a worksheet Web page.  I've just now used it to create one:
http://linuxmafia.com/gpg/

If you want to participate, send me your GPG public key, and I'll add
you to it.

If you don't yet have a key, it's dead-easy to make one.  Please see
"GnuPG Lecture" on http://linuxmafia.com/kb/Security/ .  Some of you may
remember that as lecture notes for a talk I gave some months ago at
PenLUG.  (It also gives a brief rundown on keysignings.)

The night before PenLUG, simply print out a copy of
http://linuxmafia.com/gpg/ (not as it is today, but after more names
have been added), and bring it to the meeting.  The rest is easy, and
I'll run us through it.

Last, you'll need to e-mail your signatures to me, when you get home
from the meeting.  My lecture notes explain how.  (There's no point in
signing keys if you keep the signatures to yourself.)


I hope that's reasonably clear.  I can explain more, if anything's still
mysterious.

-- 
Cheers,                     "All power is delightful, but absolute power
Rick Moen                    is absolutely delightful."  - Kenneth Tynan
rick@linuxmafia.com