Hello everyone, The KSP went very well. It's a messy process but one you will become more familiar with over time. The web of trust relies upon as many interconnections as possible. Now you need to complete the key signing process. At the party you verified to yourself that the person you saw there really did own the key. Through their reading of their fingerprint and showing of their ID you were able to justify that they are who they claim to be. Now you must attest to the rest of the world that you have personally verified that the key belongs to the other person. It is this testament that others will make use of to feel confident that they are talking to who they believe they are talking to. You do this with the --sign-key command. The process will take about five minutes depending upon how quickly you type. Once you have signed all the keys, email the keyring back to me and I will collate the signatures. Once everyone has gotten back to me I will send you back your public key with all the signatures that have been made on it. The cerritoslug keyring will also be posted to the cerritoslug site. And here are the instructions: 1) take the attached file 'cerritoslug.gpg' and detach/copy it into your ~/.gnupg/ directory. 2) Get your KSP worksheet out and have it in front of you. 3) Run the following command for each of the entries on your sheet that have *BOTH* *BOXES* checked off. One box is not enough. $ gpg --no-default-keyring --keyring cerritoslug.gpg --sign-key [KEYID] You will be shown the KeyID, Fingerprint, UserID, Size and Type of the key. Quickly check that this information matches what is on the paper (and you already know the key ID matches because you typed it on the command line :-)) Here is what it looked like when I signed Gash's key: ============================================================================ [todd@trip ~]$ gpg --no-default-keyring --keyring cerritoslug.gpg --sign-key gash@cerritoslug.org pub 1024D/769CB3EA created: 2003-02-21 expires: 2013-02-18 trust: -/- sub 1024g/E9F6B61A created: 2003-02-21 expires: 2013-02-18 (1). Gashaw Teshome pub 1024D/769CB3EA created: 2003-02-21 expires: 2013-02-18 trust: -/- Fingerprint: EDF1 D7BE 2D63 736D 30B9 8CD1 FE45 2B31 769C B3EA Gashaw Teshome This key is due to expire on 2013-02-18. Do you want your signature to expire at the same time? (Y/n) y How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don't know what to answer, enter "0". (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking. Your selection? 3 Are you really sure that you want to sign this key with your key: "Todd A. Lyons (Cannonball) " I have checked this key very carefully. Really sign? y You need a passphrase to unlock the secret key for user: "Todd A. Lyons (Cannonball) " 1024-bit DSA key, ID AE127015, created 2001-04-14 [todd@trip ~]$ ============================================================================ 4) After repeating step three for each and every double-marked ID on your worksheet, run the following command to export your newly created signatures. $ gpg --no-default-keyring --armor --keyring cerritoslug.gpg --export > ~/cerritoslug.asc 5) Mail the resulting ~/cerritoslug.asc file as an attachment or cut/paste it into a message to me at . Attachments are preferred since there is less room for errors. 6) Once everyone has gotten back to me (or a week has gone by) I'll take all the signatures I have received and send you each a copy of the signatures. Those signatures will be in a form you can --import into your normal public keyring. That way you won't have to specify --keyring every time. 7) When you import those signatures on to your ring, don't forget to update your published copy of your public key on your web page (or if you are so inclined you can upload your own key to one of the many public key servers out there.) Thanks everyone for participating and here's some tips for improving your web of trust. * Hold a KSP for your LUG, there's a HOWTO available online at . * Bringing a couple copies of your fingerprint to your local LUG meeting just in case you see someone new. When you say hi, just give them a copy and a peek at your ID. Instant web of trust. * Attend KSPs of nearby LUGs. This ties your LUG to others in the area. * Be diligent when verifying someone's identity. Remember when you sign a key you are telling the world that you belive that person to be who their key's UID says they are. * Sign your mail. Set an example by doing. * Learn more about GnuPG by reading through the documentation online at * Teach others what you know about GPG. The two tips I had for your ~/.gnupg/options file are to add an 'armor' entry on a line by itself so that you get armored output by default, and to add a Comment entry telling people where they can download a copy of your your public key. Here are the relevant lines from my personal config: armor comment "http://www.mrball.net/todd.asc" If you have questions about using GPG, I'll answer them if I can, otherwise there are the online fora linked to off of the GnuPG web site. I'm happy to respond to questions, just please be understanding if it takes a while. I get over 100 emails a day. It was a pleasure seeing you all at the CerritosLUG meeting and I hope to see you all again at upcoming meetings. Blue skies... Todd P.S. Those of you that verified my identity at the KSP, after you finish signing my key try running this email through. You should get a 'Good' signature.