Hi everyone! Before and during OSCON this year, people from Ubuntu California are going to be signing each others' OpenPGP/gnupg keys. This mail aims to explain what's going on to the people who don't know what that means, give information about how you can generate an OpenPGP key (if you have a DSA-1024bit one right now, you should read this section too), what you need to do to get your key signed, and where we'll be doing keysigning before and during OSCON.
=== What is OpenPGP, gnupg, and keysigning? === OpenPGP is a standard for electronically signing and encrypting data. The most popular implementation of it, especially on Linux, is GNUPG (GNU Privacy Guard). If you don't know anything about OpenPGP, gnupg, or the concepts of signing and encrypting, there's a great article about them written for the PGP (another similar program) user manual at http://www.pgpi.org/doc/pgpintro/ which I'd highly recommend. The short version is that generating an OpenPGP key and getting it signed by other people creates a web of trust that lets you be sure that emails from other people in the web are really from them, and that lets you have private, encrypted conversations with them. Ubuntu uses gnupg to sign packages in its repositories, and many people in the Ubuntu community use it to sign emails that they send out. Therefore, building the Ubuntu web of trust is generally a productive and good idea :) === How do I generate a secure key with gnupg? === So, now that I've established /why/ OpenPGP keys are relevant to Ubuntu, I'll cover how to make one of your own. This would usually be a very short process, but there's currently some concern that gnupg's default settings are insecure, so it's a little more complicated right now. gnupg is installed by default with Ubuntu, so you probably already have it, but the commands are a little arcane (the settings are getting changed at some point, at which time things will be easy again...). If you already have a DSA-1024 key, you probably want to read http://www.debian-administration.org/users/dkg/weblog/48 . It explains the security problems with those keys rather well, and provides a plan for transitioning to a new key. If you're making a key for the first time, or ** if you currently have a DSA-1024 key **, you should generate a new keypair using the instructions at http://andys.org.uk/b/2009/05/09/gnupg-rsa-key-pair-mini-howto-with-stronger-digests/ . If you're going to be meeting up with us at OSCON and want to be involved in keysigning, you should make a key before you get there. Some notes about the andys.org.uk article: * Key length: you probably don't need 4096 bits. More bits is theoretically more secure, but 4096 is probably overkill. I used 2048, which appears to be sane, and is the default. * Key expiration: this is a matter of personal preference. If you think you might accidentally lose your key files, you should set an expiration date (a couple of years in the future is fine). If you're like me and back up everything obsessively, expiration is probably not necessary. * Real name: consider making this your real name, rather than a pseudonym, if you use both online. One part of keysigning is checking that someone is actually who they claim to be, so it's easier if your key has the same name as your photo ID. * Revocation: generate a revocation certificate, but don't actually revoke your key (or double-click on the certificate in GNOME, since that does the same thing). The article's revocation instructions are for if you lose control of your key *at a future date*. Apart from that, it's a pretty clear article. If you have problems following it, let me know (if you don't want to email the list, sending me private email for help is fine with me). === Keysigning HOWTO === So, now that I've explained what OpenPGP is and how to use it, here comes the social side of it: keysigning! To form the web of trust, we need to get together, exchange key fingerprints, and check IDs. If you want to participate in keysigning, generate a key using the instructions above, then write down the key fingerprint, which you can get with: gnupg --fingerprint [keyid] where keyid is something like "0x0CBC1491" or "Robert Wall". You then want to copy down that fingerprint and bring it with you. You don't need to bring a copy of your key file, or even a computer at all, with you to OSCON, just that fingerprint. To make things more orderly, email the fingerprint to me, and I'll generate a list of keys for everyone so we can all just check boxes instead of writing down lots of stuff. You still need to write down *your* fingerprint and bring it with you, though, to make sure I got the right one. So yes. To get involved with keysigning at OSCON: * Generate an OpenPGP key using the instructions in the previous section * Write down your key fingerprint and bring it with you * (optional but recommended) Email your fingerprint to me so I can make key lists * BRING PHOTO ID WITH YOU so we can check that you're actually who you say you are. A California Driver's License or US passport is generally acceptable (since most people in Ubuntu California know what they look like), but anything with your name and photo, issued by a government, and not easily faked, is probably okay. As far as the keysigning process itself goes, we can discuss it in person. It's also easy, though :) === Keysinging before/at OSCON === So, now that we know what we need to get so we can keysign, we need to decide where we're going to do it. Several of us are going to be in San Jose on the evening of Sunday 19th for the Community Leadership Summit, so we'll definitely be doing it then. We'll also be discussing logistics for OSCON then. ** If you know of good eating places in San Jose near the McEnery Convention Center (at the corner of W San Carlos St. and S Market Street), we'd appreciate suggestions. ** We're aiming to meet up at about 6pm. Since some of us are under 21, bars don't count. If you're going to OSCON itself, we can also keysign any time at the booth there. The schedule for when people will be there is at http://wiki.ubuntu.com/CaliforniaTeam/Projects/OSCON2009 (if you're going to be at the booth and aren't on that schedule, get on that schedule). You probably want to do keysigning with at least three other people. I know there'll be more than that at the pre-OSCON meeting on Sunday, so that's probably the best time to do it. Okay, so, things to take from this email: * Keysigning and OpenPGP is cool * You should go generate an RSA OpenPGP key now using the instructions * If you're coming to OSCON, get your fingerprint, email it to me, and write it down and bring it with you. * If you're in San Jose and have recommendations for food places near the convention center, please please let us know :) Thanks, ~ Robert -- Robert Wall <robertlikesturt...@gmail.com> OpenPGP key: 0x0CBC1491 | see http://rww.name/rsaswitch.txt Webpage: http://rww.name/
signature.asc
Description: This is a digitally signed message part
-- Ubuntu-us-ca mailing list Ubuntu-us-ca@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-ca