Hi Arnd!
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
I get asked about keysigning occasionally, and tend to sign other people's GPG encryption keys that I meet at conferences. For kernel developers, this is mostly important so they can send signed git pull requests as well as apply for a user account on kernel.org to host their kernel developers. Other communities such as Debian rely on GPG encryption for additional uses, so I generally recommend all developers to have a GPG key and have at least three signatures from others on it. See [1] for more information on this.
We have done keysigning parties during Connect in the past, and other conferences have done the same thing. However, this takes a lot of preparation work, and requires that everyone shows up at the same time in a room as well as other downsides.
For the coming BKK19 meeting, I would propose a slightly organized but ad-hoc method: Everyone who has a GPG key or who is in one of the groups of people that may need one in the future, please prepare the following steps:
- Make sure that you have a valid GPG key, with at least 2048 bits.
If you don't have one, create a fresh RSA-4096 key as documented
Right. I certainly won't sign a DSA key at all any more due to the documented weaknesses, and I know many others with the same policy. There's typically little reason to not create as strong a key as you can.
- Make sure that you have Linaro business cards with your current
full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
FTAOD: I assime you're not suggesting that business cards are ID! Before signing things, also check whatever ID you can.
Then during Connect, try to find those people you closely work with, as well as anyone new to the company, and exchange business cards. Make sure that the cards you hand out actually have the correct key printed on them if you are paranoid.
Once you get home, download the gpg keys from everyone you got cards from, check that the fingerprint matches, then sign and upload them. Note that you should not normally have your own master key on the laptop you travel with, so I assume this will have to be done afterwards.
There are ways to improve safety there with hardware tokens, encrypted filesystems etc.
For more paranoia:
* It's a common thing to do to physically sign the cards you've received and verified (with a pen!). That will guard against people maybe trying to slip extra bogus cards into your pocket etc.
* Debian people often (maybe mostly?) will prefer to send encrypted mail to each UID you present, using a tool like caff [1] to automate the process. That validates that you can also at least receive and decrypt mail sent to each address you're claiming to own.
I'm happy to meet people and sign keys to help spread the web of trust. I've helped to organise keysigning parties at various events in the past.
[1] in the Debian package "signing-party"
Cheers,