meillo@0: % Supplemental Keysigning Help meillo@0: % meillo@0: % markus schnalke meillo@0: % meillo@0: % since 2009-02-17 meillo@0: meillo@0: \documentclass[a4paper,twocolumn]{article} meillo@0: meillo@0: \usepackage{paper} meillo@0: meillo@0: \usepackage{url} meillo@0: \usepackage{graphicx} meillo@0: \usepackage{verbatim} meillo@0: meillo@0: meillo@0: \begin{document} meillo@0: meillo@0: \date{} meillo@0: \title{\textbf{\huge Supplemental Keysigning Help}} meillo@0: \author{markus schnalke\\meillo@marmaro.de} meillo@0: \maketitle meillo@0: meillo@0: \copyright{ meillo@0: Created for some people of the LUG Ulm \cite{lugu}, 2009-02-18\\ meillo@0: This document is available on my website \url{http://marmaro.de/docs}\,. meillo@0: } meillo@0: meillo@0: meillo@0: \abstract{ meillo@0: Methods to organize keysigning events are available in large numbers. They usually describe only what needs be done in which order, and this is exactly what they should do. meillo@0: meillo@0: This document is a supplemental help to one of the methods by describing concrete ways how to actually do some of the tasks. It suggest tools and shows how to use them. meillo@0: } meillo@0: meillo@0: meillo@0: meillo@0: \section{Introduction} meillo@0: meillo@0: This document tries to help people in organizing a keysiging event. It should be seen as concrete suggestions for how to do things that are already described by the keysigning method in general. The method defines how to organize the keysigning, this document makes concrete suggestions \emph{how} to do things. This document also shows how to generate WOT graphs. meillo@0: meillo@0: meillo@0: meillo@0: meillo@0: \section{Keysigning method} meillo@0: meillo@2: The keysigning method that is focused here is Zimmermann and Sassaman's method \cite{zimmermann}. It is easy to use and scales well for any amount of people. meillo@0: meillo@0: One should become familiar with this method and follow it when organizing a keysigning event. This document provides technical help with some selected tasks. meillo@0: meillo@0: meillo@0: meillo@0: meillo@0: \section{Key management} meillo@0: meillo@0: When you invite people to the keysigning event you will receive their public key(s). To manage the keys it is recommended to add them to a new keyring: meillo@0: meillo@0: {\tt\small meillo@0: \begin{verbatim} meillo@0: $ gpg --no-default-keyring \ meillo@0: --keyring /path/to/keyring.gpg \ meillo@0: --import some-public-key.asc meillo@0: \end{verbatim} meillo@0: } meillo@0: meillo@0: It is also possible to directly fetch the keys from a keyserver, but this is not preferred. It is better to receive the keys directly from the owners. meillo@0: meillo@0: {\tt\small meillo@0: \begin{verbatim} meillo@0: $ gpg --no-default-keyring \ meillo@0: --keyring /path/to/keyring.gpg \ meillo@0: --keyserver subkeys.pgp.net \ meillo@0: --recv-key 0xDEADBEEF meillo@0: \end{verbatim} meillo@0: } meillo@0: meillo@0: meillo@0: meillo@0: meillo@0: \section{Participant list} meillo@0: meillo@0: You have to generate a list that contains the public keys of all participants. A script to do this automatically with nice formating is available \cite{keylist}. The script is not perfect, but sufficient. meillo@0: meillo@0: {\tt\small meillo@0: \begin{verbatim} meillo@0: $ keylist.sh /path/to/keyring.gpg header.txt \ meillo@0: howto.txt checksums.txt meillo@0: \end{verbatim} meillo@0: } meillo@0: meillo@0: The script generates a public key list from all keys in the keyring (first argument). This list can get prepended by the contents of text files (all further arguments). meillo@0: meillo@0: A general header is demanded by good style. Descriptions of what the participants need to do are highly recommended in order to support unexperienced participants. Fields to insert the checksums should be provided anyway. Examples for the here included files can be found at \cite{keylist}. meillo@0: meillo@0: %Figure \ref{fig:keylist} shows a sample participant list. meillo@0: meillo@0: \begin{figure} meillo@0: {\tt\tiny meillo@0: \verbatiminput{keylist-sample.txt} meillo@0: } meillo@0: \label{fig:keylist} meillo@0: \caption{A sample participant list} meillo@0: \end{figure} meillo@0: meillo@0: meillo@0: meillo@0: meillo@0: \section{WOT graphs} meillo@0: meillo@0: The change of the Web of Trust (short: WOT) does directly show the gain of a keysigning event. The more interweaved and the shorter connections between individuals are, the better is the trust among that group of people. meillo@0: meillo@0: Providing WOT graphs is a nice act of a keysigning organizer. However, it is in any case optional and can be done afterwards, too. meillo@0: meillo@0: Two programs are required to generate the graphs: \texttt{sig2dot} \cite{sig2dot} and \texttt{neato} from \texttt{graphviz} \cite{graphviz}. meillo@0: meillo@0: To generate a graph that depicts the WOT, use the following command: meillo@0: meillo@0: {\tt\small meillo@0: \begin{verbatim} meillo@0: $ gpg --no-default-keyring \ meillo@0: --keyring /path/to/keyring.gpg \ meillo@0: --list-sigs \ meillo@0: | sig2dot -d YYYY-MM-DD \ meillo@0: | neato -Tpng > wot.png meillo@0: \end{verbatim} meillo@0: } meillo@0: meillo@0: The date (`\texttt{YYYY-MM-DD}') must be substituted, of course. The generated image shows the WOT at the given date. meillo@0: meillo@0: To generate graphs of the WOT after the event, one must update the keyring first: meillo@0: meillo@0: {\tt\small meillo@0: \begin{verbatim} meillo@0: $ gpg --no-default-keyring \ meillo@0: --keyring /path/to/keyring.gpg \ meillo@0: --keyserver subkeys.pgp.net \ meillo@0: --refresh-keys meillo@0: \end{verbatim} meillo@0: } meillo@0: meillo@0: New images can be created the same way as described above, only the date needs to be changed. meillo@0: meillo@0: (Notice that only signatures that were uploaded to a keyserver will be included.) meillo@0: meillo@0: %Figure \ref{fig:wot-graphs} shows sample WOT graphs before and after a keysigning event. meillo@0: meillo@0: \begin{figure} meillo@0: \includegraphics[scale=0.45]{wot-before.ps} meillo@0: \hfill meillo@0: \includegraphics[scale=0.45]{wot-after.ps} meillo@0: \caption{Sample graphs which show the WOT before and after a keysigning event} meillo@0: \label{fig:wot-graphs} meillo@0: \end{figure} meillo@0: meillo@0: meillo@0: meillo@0: \section{A hint for participants} meillo@0: meillo@0: Receiving keys, signing them, and sending the signatures back to the key owners can be a wasteful job, especially if may people took part in a keysigning event. meillo@0: meillo@0: The nice tool \texttt{caff} \cite{signing-party} is a great helper. It automates the whole process, from key retrival, to signing, to sending the signatures. (An MTA is required to send signatures.) meillo@0: meillo@0: meillo@0: meillo@0: \section{Acknowledgments} meillo@0: meillo@0: This document bases heavily on how Fabian Fingerle \cite{fabianfingerle} organizes keysigning events. I thank him for being a great inspiration. meillo@0: meillo@0: meillo@0: meillo@0: {\footnotesize meillo@0: \bibliographystyle{plain} meillo@0: \bibliography{references} meillo@0: } meillo@0: meillo@0: meillo@0: meillo@0: \end{document} meillo@0: