[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 3/6] docs: rSTify the "KeySigningParty" wiki

From: Kashyap Chamarthy
Subject: [PATCH v2 3/6] docs: rSTify the "KeySigningParty" wiki
Date: Tue, 19 Oct 2021 11:03:41 +0200

The original wiki is here[1].  I converted by copying the wiki source
into a .wiki file and convert to rST using `pandoc`:

    $ pandoc -f Mediawiki -t rst key-signing-party.wiki -o

This is a 1-1 conversion; no content changes.

[1] https://wiki.qemu.org/KeySigningParty

Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
 docs/devel/key-signing-party.rst | 171 +++++++++++++++++++++++++++++++
 1 file changed, 171 insertions(+)
 create mode 100644 docs/devel/key-signing-party.rst

diff --git a/docs/devel/key-signing-party.rst b/docs/devel/key-signing-party.rst
new file mode 100644
index 0000000000..94e133c40e
--- /dev/null
+++ b/docs/devel/key-signing-party.rst
@@ -0,0 +1,171 @@
+Key-signing Party
+.. _whats_a_key_signing_party:
+What's a key-signing party?
+A key-signing party is a get-together with PGP users for the purpose of
+meeting other PGP users and signing each other's keys. This helps to
+extend the "web of trust" to a great degree. Also, it sometimes serves
+as a forum to discuss strong cryptography and related issues. In QEMU we
+use PGP keys to sign pull requests, so submaintainers need to have PGP
+keys signed by those with direct commit access.
+This wiki page gives general information on how we run key-signing
+parties for QEMU; usually there will be one at KVM Forum. For details of
+a specific event (location, organizer, etc) see the wiki page for that
+The instructions here are pretty specific, because there will likely be
+at least a dozen people trying to arrange to sign each others' keys. To
+get this done in a reasonable time we need to be efficient about it, so
+following the instructions makes it easier and smoother for everyone. If
+(for instance) you don't send your key to the organizer before the
+deadline then it's quite likely you won't get your key signed.
+.. _what_do_i_need_for_this_party:
+What do I need for this party?
+.. _required_items:
+Required Items
+-  Physical attendance
+-  Positive picture ID
+-  Your Key ID, Key type, HEX fingerprint, and Key size
+-  A pen/pencil or whatever you'd like to write with....
+-  NO computer
+.. _required_process:
+Required Process
+-  Generate a key/Remember your pass phrase
+-  All attendees send their public keys to a public keyserver. Unless
+   specified otherwise, use keys.gnupg.net. If for some reason you don't
+   want your key to be in a public keyserver, but still want to
+   participate, please let me know.
+-  All attendees send their key ID, key type, fingerprint, and key size
+   to the host, who will compile everyone's key information.
+-  The host prints a list with everyone's key ID, key type, fingerprint,
+   and key size from the compiled keyrings and distributes copies of the
+   printout at the meeting.
+-  Attend the party. Bring along a paper copy of your key ID, key type,
+   fingerprint, and key size that you obtained from your own keyring.
+   You must also bring along a suitable photo ID. Instruct the attendees
+   at the beginning that they are to make two marks on the listing, one
+   for correct key information (key ID, key type, fingerprint, and key
+   size) and one if the ID check is ok.
+-  At the meeting each key owner reads his key ID, key type,
+   fingerprint, key size, and user ID from his own printout, not from
+   the distributed listing. This is because there could be an error,
+   intended or not, on the listing. This is also the time to tell which
+   ID's to sign or not. If the key information matches your printout
+   then place a check-mark by the key.
+-  After everyone has read his key ID information, have all attendees
+   form a line.
+-  The first person walks down the line having every person check his
+   ID.
+-  The second person follows immediately behind the first person and so
+   on.
+-  If you are satisfied that the person is who they say they are, and
+   that the key on the printout is theirs, you place another check-mark
+   next to their key on your printout.
+-  Once the first person cycles back around to the front of the line he
+   has checked all the other IDs and his ID has been checked by all
+   others.
+-  After everybody has identified himself or herself the formal part of
+   the meeting is over. You are free to leave or to stay and discuss
+   matters of PGP and privacy (or anything else) with fellow PGP users.
+   If everyone is punctual the formal part of the evening should take
+   less than an hour.
+-  After confirming that the key information on the key server matches
+   the printout that you have checked, sign the appropriate keys. Keys
+   can only be signed if they have two check-marks. Note that it is
+   really important to check the full fingerprint -- there are many keys
+   on the keyservers are maliciously generated fakes which have the same
+   short 32-bit keyid but the wrong fingerprint!
+-  Send the signed keys back to the keyservers.
+-  Use those keys as often as possible.
+.. _why_shouldnt_i_bring_a_computer:
+Why shouldn't I bring a computer?
+There are a variety of reasons, why you don't want to do this. The short
+answer is it would be insecure, unsafe, and of no benefit. For those not
+convinced, here are some reasons why it is insecure, unsafe, and of no
+-  Someone might have modified the computers programs, operating system,
+   or hardware to steal or modify keys.
+-  If people are swapping disks with their keys on them the computer
+   owner has to worry about viruses.
+-  If people are carrying their secret keys with them and intend to do
+   the signing at the actual meeting by typing their passphrase into a
+   computer, then they are open to key-logging attacks,
+   shoulder-surfing, etc.
+-  It is much better to just exchange key details and verify ID and then
+   do the signing when you get home to your own trusted computer.
+-  Someone might spill beer on it.
+-  Someone might drop it or knock it off the table.
+-  More reasons, I don't feel like articulating
+.. _other_questions_about_signing_keys:
+Other questions about signing keys?
+You may want to read the `Keysigning Party
+Howto <http://www.cryptnet.net/fdp/crypto/gpg-party.html>`__ which
+includes an explanation of the concepts behind keysigning, instructions
+for hosting a keysigning party, instructions for participating in a
+keysigning party, and step by step instructions for signing other's
+If you're looking for quick answers you may want to look to the
+questions and answers below, which all come from the `PGP
+FAQ <http://www.pgp.net/pgpnet/pgp-faq/faq.html>`__. It also has a lot
+of other good information, besides what is linked to below.
+-  `What is key
+   signing? <http://www.pgp.net/pgpnet/pgp-faq/faq.html#KEY-SIGNING-WHAT>`__
+-  `How do I sign a
+   key? <http://www.pgp.net/pgpnet/pgp-faq/faq.html#KEY-SIGNING-HOW>`__
+-  `Should I sign my own
+   key? <http://www.pgp.net/pgpnet/pgp-faq/faq.html#KEY-SIGNING-SELF>`__
+-  `Should I sign X's
+   key? <http://www.pgp.net/pgpnet/pgp-faq/faq.html#KEY-SIGNING-WHEN>`__
+-  `How do I verify someone's
+   identity? 
+-  `How do I know someone hasn't sent me a bogus key to
+   sign? 
+.. _other_useful_pgp_links:
+Other useful PGP links
+A few more links for PGP newbies, or those who wish to re acquaint
+-  http://www.pgpi.org/ -- The International PGP Home Page
+-  http://www.pgpi.org/download/ -- Download PGP
+-  http://www.gnupg.org/ -- GNU PGP (Linux)
+-  http://www.pgpi.org/products/tools/search/ -- PGP Tools, Shells, and
+   Plugins
+.. _what_if_i_still_have_a_question:
+What if I still have a question?
+If you'd like some help answering it, you can contact the event

reply via email to

[Prev in Thread] Current Thread [Next in Thread]