Hi Everyone,
I get asked about keysigning occasionally, and tend to sign other people's GPG encryption keys that I meet at conferences. For kernel developers, this is mostly important so they can send signed git pull requests as well as apply for a user account on kernel.org to host their kernel developers. Other communities such as Debian rely on GPG encryption for additional uses, so I generally recommend all developers to have a GPG key and have at least three signatures from others on it. See [1] for more information on this.
We have done keysigning parties during Connect in the past, and other conferences have done the same thing. However, this takes a lot of preparation work, and requires that everyone shows up at the same time in a room as well as other downsides.
For the coming BKK19 meeting, I would propose a slightly organized but ad-hoc method: Everyone who has a GPG key or who is in one of the groups of people that may need one in the future, please prepare the following steps:
- Make sure that you have a valid GPG key, with at least 2048 bits. If you don't have one, create a fresh RSA-4096 key as documented
- Make sure that you have Linaro business cards with your current full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
Then during Connect, try to find those people you closely work with, as well as anyone new to the company, and exchange business cards. Make sure that the cards you hand out actually have the correct key printed on them if you are paranoid.
Once you get home, download the gpg keys from everyone you got cards from, check that the fingerprint matches, then sign and upload them. Note that you should not normally have your own master key on the laptop you travel with, so I assume this will have to be done afterwards.
Arnd
[1] https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html [2] https://printerbellomarket.co.uk/site/login/linaro
On Wed, 19 Dec 2018 at 11:26, Arnd Bergmann arnd@arndb.de wrote:
- Make sure that you have a valid GPG key, with at least 2048 bits. If you don't have one, create a fresh RSA-4096 key as documented
There's a fairly good key creation guide here: https://keyring.debian.org/creating-key.html
Hi Arnd!
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
I get asked about keysigning occasionally, and tend to sign other people's GPG encryption keys that I meet at conferences. For kernel developers, this is mostly important so they can send signed git pull requests as well as apply for a user account on kernel.org to host their kernel developers. Other communities such as Debian rely on GPG encryption for additional uses, so I generally recommend all developers to have a GPG key and have at least three signatures from others on it. See [1] for more information on this.
We have done keysigning parties during Connect in the past, and other conferences have done the same thing. However, this takes a lot of preparation work, and requires that everyone shows up at the same time in a room as well as other downsides.
For the coming BKK19 meeting, I would propose a slightly organized but ad-hoc method: Everyone who has a GPG key or who is in one of the groups of people that may need one in the future, please prepare the following steps:
- Make sure that you have a valid GPG key, with at least 2048 bits.
If you don't have one, create a fresh RSA-4096 key as documented
Right. I certainly won't sign a DSA key at all any more due to the documented weaknesses, and I know many others with the same policy. There's typically little reason to not create as strong a key as you can.
- Make sure that you have Linaro business cards with your current
full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
FTAOD: I assime you're not suggesting that business cards are ID! Before signing things, also check whatever ID you can.
Then during Connect, try to find those people you closely work with, as well as anyone new to the company, and exchange business cards. Make sure that the cards you hand out actually have the correct key printed on them if you are paranoid.
Once you get home, download the gpg keys from everyone you got cards from, check that the fingerprint matches, then sign and upload them. Note that you should not normally have your own master key on the laptop you travel with, so I assume this will have to be done afterwards.
There are ways to improve safety there with hardware tokens, encrypted filesystems etc.
For more paranoia:
* It's a common thing to do to physically sign the cards you've received and verified (with a pen!). That will guard against people maybe trying to slip extra bogus cards into your pocket etc.
* Debian people often (maybe mostly?) will prefer to send encrypted mail to each UID you present, using a tool like caff [1] to automate the process. That validates that you can also at least receive and decrypt mail sent to each address you're claiming to own.
I'm happy to meet people and sign keys to help spread the web of trust. I've helped to organise keysigning parties at various events in the past.
[1] in the Debian package "signing-party"
Cheers,
W dniu 19.12.2018 o 15:21, Steve McIntyre pisze:
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
I get asked about keysigning occasionally, and tend to sign other people's GPG encryption keys that I meet at conferences.
That's good idea. Count me in.
- Make sure that you have Linaro business cards with your current
full key fingerprint on them.
FTAOD: I assime you're not suggesting that business cards are ID! Before signing things, also check whatever ID you can.
ID check is mandatory for me. There were keysigning events where I refused to sign keys for several people due to photo/face mismatch (usually teens).
- Debian people often (maybe mostly?) will prefer to send encrypted mail to each UID you present, using a tool like caff [1] to automate the process. That validates that you can also at least receive and decrypt mail sent to each address you're claiming to own.
caff ftw!
On Wed, Dec 19, 2018 at 3:22 PM Steve McIntyre steve.mcintyre@linaro.org wrote:
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
- Make sure that you have Linaro business cards with your current
full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
FTAOD: I assime you're not suggesting that business cards are ID! Before signing things, also check whatever ID you can.
I usually don't check ID when I sign keys from the people I closely work with, and I rarely sign keys of people I don't already know (and would likely check ID if there is any question about their identity).
Then during Connect, try to find those people you closely work with, as well as anyone new to the company, and exchange business cards. Make sure that the cards you hand out actually have the correct key printed on them if you are paranoid.
Once you get home, download the gpg keys from everyone you got cards from, check that the fingerprint matches, then sign and upload them. Note that you should not normally have your own master key on the laptop you travel with, so I assume this will have to be done afterwards.
There are ways to improve safety there with hardware tokens, encrypted filesystems etc.
For more paranoia:
It's a common thing to do to physically sign the cards you've received and verified (with a pen!). That will guard against people maybe trying to slip extra bogus cards into your pocket etc.
Debian people often (maybe mostly?) will prefer to send encrypted mail to each UID you present, using a tool like caff [1] to automate the process. That validates that you can also at least receive and decrypt mail sent to each address you're claiming to own.
Good suggestions, thanks!
Arnd
On 19/12/2018 12:26, Arnd Bergmann wrote:
Hi Everyone,
I get asked about keysigning occasionally, and tend to sign other people's GPG encryption keys that I meet at conferences. For kernel developers, this is mostly important so they can send signed git pull requests as well as apply for a user account on kernel.org to host their kernel developers. Other communities such as Debian rely on GPG encryption for additional uses, so I generally recommend all developers to have a GPG key and have at least three signatures from others on it. See [1] for more information on this.
We have done keysigning parties during Connect in the past, and other conferences have done the same thing. However, this takes a lot of preparation work, and requires that everyone shows up at the same time in a room as well as other downsides.
For the coming BKK19 meeting, I would propose a slightly organized but ad-hoc method: Everyone who has a GPG key or who is in one of the groups of people that may need one in the future, please prepare the following steps:
Make sure that you have a valid GPG key, with at least 2048 bits. If you don't have one, create a fresh RSA-4096 key as documented
Make sure that you have Linaro business cards with your current full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information.
I'm in the process of reprint the business cards with the fingerprint. I'll try to add the qrcode for monkeysign to the card.
qrencode -t PNG 'OPENPGP4FPR:<mypgpkey>' -o mypgpkey.png
For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
Then during Connect, try to find those people you closely work with, as well as anyone new to the company, and exchange business cards. Make sure that the cards you hand out actually have the correct key printed on them if you are paranoid.
Once you get home, download the gpg keys from everyone you got cards from, check that the fingerprint matches, then sign and upload them. Note that you should not normally have your own master key on the laptop you travel with, so I assume this will have to be done afterwards.
Arnd[1] https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html [2] https://printerbellomarket.co.uk/site/login/linaro _______________________________________________ Conf mailing list Conf@lists.linaro.org https://lists.linaro.org/mailman/listinfo/conf
Thanks for raising this Arnd. I'm very interested.. but!
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
- Make sure that you have Linaro business cards with your current full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
I'm following the instructions but there is no key fingerprint field in my profile at printerbellomarket.co.uk.. I only see name/email/title/phone/phone/skype/irc.
Thanks, Dan
On Wed, Dec 19, 2018 at 4:56 PM Dan Rue dan.rue@linaro.org wrote:
Thanks for raising this Arnd. I'm very interested.. but!
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
- Make sure that you have Linaro business cards with your current full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
I'm following the instructions but there is no key fingerprint field in my profile at printerbellomarket.co.uk.. I only see name/email/title/phone/phone/skype/irc.
I have old business cards with my key on them, but can't log in to that website any more apparently. I wonder what changed.
Arnd
On 19/12/2018 16:56, Dan Rue wrote:
Thanks for raising this Arnd. I'm very interested.. but!
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
- Make sure that you have Linaro business cards with your current full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
I'm following the instructions but there is no key fingerprint field in my profile at printerbellomarket.co.uk.. I only see name/email/title/phone/phone/skype/irc.
I'm in discussion with Printerbello to add the field and a qrcode. I'll let you know the procedure when I've got confirmation
I think you guys have this covered, but do you need any support at / from Connect? If you do, let us know... David
On Wed, 19 Dec 2018 at 16:28, Daniel Lezcano daniel.lezcano@linaro.org wrote:
On 19/12/2018 16:56, Dan Rue wrote:
Thanks for raising this Arnd. I'm very interested.. but!
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
- Make sure that you have Linaro business cards with your current full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
I'm following the instructions but there is no key fingerprint field in my profile at printerbellomarket.co.uk.. I only see name/email/title/phone/phone/skype/irc.
I'm in discussion with Printerbello to add the field and a qrcode. I'll let you know the procedure when I've got confirmation
-- http://www.linaro.org/ Linaro.org │ Open source software for ARM SoCs
Follow Linaro: http://www.facebook.com/pages/Linaro Facebook | http://twitter.com/#!/linaroorg Twitter | http://www.linaro.org/linaro-blog/ Blog
linaro-kernel mailing list linaro-kernel@lists.linaro.org https://lists.linaro.org/mailman/listinfo/linaro-kernel
On Thu, Dec 20, 2018 at 11:03 AM David Rusling david.rusling@linaro.org wrote:
I think you guys have this covered, but do you need any support at / from Connect? If you do, let us know...
One thing I was wondering is whether those of us that need new business cards could have them shipped to the Linaro office instead for pickup during connect as we had done a long time ago, that might simplify the distribution.
Arnd
On Fri, Dec 21, 2018 at 4:42 AM Arnd Bergmann arnd@arndb.de wrote:
On Thu, Dec 20, 2018 at 11:03 AM David Rusling david.rusling@linaro.org wrote:
I think you guys have this covered, but do you need any support at / from Connect? If you do, let us know...
One thing I was wondering is whether those of us that need new business cards could have them shipped to the Linaro office instead for pickup during connect as we had done a long time ago, that might simplify the distribution.
Are new business cards with the fingerprint really necessary? Printing fingerprint "strips" should be fine too, right?
On 12/21/18, Amit Kucheria amit.kucheria@linaro.org wrote:
On Fri, Dec 21, 2018 at 4:42 AM Arnd Bergmann arnd@arndb.de wrote:
On Thu, Dec 20, 2018 at 11:03 AM David Rusling david.rusling@linaro.org wrote:
I think you guys have this covered, but do you need any support at / from Connect? If you do, let us know...
One thing I was wondering is whether those of us that need new business cards could have them shipped to the Linaro office instead for pickup during connect as we had done a long time ago, that might simplify the distribution.
Are new business cards with the fingerprint really necessary? Printing fingerprint "strips" should be fine too, right?
I will definitely also sign keys from people that bring those strips instead of business cards. For me it's easier to bring business cards (which I try to bring to the conference anyway) than it is to remember to print and cut the the fingerprints in time.
Arnd
On Fri, 21 Dec 2018 at 08:03, Amit Kucheria amit.kucheria@linaro.org wrote:
On Fri, Dec 21, 2018 at 4:42 AM Arnd Bergmann arnd@arndb.de wrote:
On Thu, Dec 20, 2018 at 11:03 AM David Rusling david.rusling@linaro.org
wrote:
I think you guys have this covered, but do you need any support at /
from Connect? If you do, let us know...
One thing I was wondering is whether those of us that need new business cards could have them shipped to the Linaro office instead for pickup
during
connect as we had done a long time ago, that might simplify the
distribution.
Are new business cards with the fingerprint really necessary? Printing fingerprint "strips" should be fine too, right?
Nope, and even paper slips can be skipped. What I do is carry my fingerprint (both as text and QR code) on my phone. I'll show it to you and you can take a picture of my phone screen. Then I'll take a picture with my phone from your paperslip/businesscard/phone-screen. Appears to work better than paperslips that sometimes get lost before getting around to sign.
I realize as this requires trusting that a nation-state actor hasn't replaced the camera firmware on my phone with one that replaces PGP fingerprints it sees with nefarious ones - I'll take my chances ;)
Riku
Hi all,
Just kind of reminder ;) Count me in in this. Looking for party to sign the keys ;)
On Mon, 21 Jan 2019 at 20:53, Riku Voipio riku.voipio@linaro.org wrote:
On Fri, 21 Dec 2018 at 08:03, Amit Kucheria amit.kucheria@linaro.org wrote:
On Fri, Dec 21, 2018 at 4:42 AM Arnd Bergmann arnd@arndb.de wrote:
On Thu, Dec 20, 2018 at 11:03 AM David Rusling <
david.rusling@linaro.org> wrote:
I think you guys have this covered, but do you need any support at /
from Connect? If you do, let us know...
One thing I was wondering is whether those of us that need new business cards could have them shipped to the Linaro office instead for pickup
during
connect as we had done a long time ago, that might simplify the
distribution.
Are new business cards with the fingerprint really necessary? Printing fingerprint "strips" should be fine too, right?
Nope, and even paper slips can be skipped. What I do is carry my fingerprint (both as text and QR code) on my phone. I'll show it to you and you can take a picture of my phone screen. Then I'll take a picture with my phone from your paperslip/businesscard/phone-screen. Appears to work better than paperslips that sometimes get lost before getting around to sign.
I realize as this requires trusting that a nation-state actor hasn't replaced the camera firmware on my phone with one that replaces PGP fingerprints it sees with nefarious ones - I'll take my chances ;)
Riku _______________________________________________ Conf mailing list Conf@lists.linaro.org https://lists.linaro.org/mailman/listinfo/conf
On Fri, Dec 21, 2018 at 12:12:15AM +0100, Arnd Bergmann wrote:
On Thu, Dec 20, 2018 at 11:03 AM David Rusling david.rusling@linaro.org wrote:
I think you guys have this covered, but do you need any support at / from Connect? If you do, let us know...
One thing I was wondering is whether those of us that need new business cards could have them shipped to the Linaro office instead for pickup during connect as we had done a long time ago, that might simplify the distribution.
At least when I got them in the US here, the website just ended up giving me a PDF file to take to a local print shop. There is enough whitespace that they would fit fine on a US shaped business card.
Perhaps those close enough to Cambridge might benefit from that, but those from the US might want to print them locally, if they want the aspect ratio and size to match other US cards.
I'll try to remember to bring my business cards (with fingerprint). I don't really need more signatures, but I'm willing to sign cards of people I know (or get to know).
David
linaro-kernel@lists.linaro.org
-
Amit Kucheria -
Arnd Bergmann -
Dan Rue -
Daniel Lezcano -
David Brown -
David Rusling -
Marcin Juszkiewicz -
Mark Brown -
Radoslaw Biernacki -
Riku Voipio -
Steve McIntyre