Hello everyone, The KSP went very well. It's a messy process but one you will become more familiar with over time (as you could tell, I'm still learning too). The web of trust relies upon as many interconnections as possible. Now you need to complete the key signing process. At the party you verified to yourself that the person you saw there really did own the key. Through their reading of their fingerprint and showing of their ID, you were able to verify that they are who they claim to be. Now you must attest to the rest of the world that you have personally verified that the key belongs to the other person. It is this testament that others will make use of to feel confident that they are talking to who they believe they are talking to. You do this with the --sign-key command. The process will take about ten minutes depending upon how quickly you type. Once you have signed all the keys, email the keyring back to me and I will collate the signatures. Once everyone has gotten back to me I will send you back your public key with all the signatures that have been made on it. The scale keyring will also be posted to my GPG page. And here are the instructions: 1) Take the attached file 'scale-plain.asc' and detach/copy it into your ~/.gnupg/ directory. 2) Change into the ~/.gnupg/ directory. 3) Convert the ascii armored file into a version that gnupg can work with: $ gpg --no-default-keyring --keyring scale.gpg --import ./scale-plain.asc 4) Get your KSP worksheet out and have it in front of you. 5) Run the following command for each of the entries on your sheet that have *BOTH* *BOXES* checked off. One box is not enough. $ gpg --no-default-keyring --keyring scale.gpg --sign-key [KEYID] You will be shown the KeyID, Fingerprint, UserID, Size and Type of the key. Quickly check that this information matches what is on the paper (and you already know the key ID matches because you typed it on the command line :-)) Here is what it looked like when I signed Dave Leifer's key at an OCLUG keysigning party. Note that I used Dave's email address instead of KeyID. It works properly either way: ============================================================================ [todd@trip ~]$ gpg --no-default-keyring --keyring oclug.gpg --sign-key leifer@attglobal.net gpg: checking the trustdb gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 gpg: next trustdb check due at 2007-11-08 pub 1024D/74089BE8 created: 2003-03-13 expires: 2008-03-11 trust: -/- sub 1024g/DC88D9F7 created: 2003-03-13 expires: 2008-03-11 (1). Dave Leifer pub 1024D/74089BE8 created: 2003-03-13 expires: 2008-03-11 trust: -/- Fingerprint: 4DA8 840A 8698 738F D72B B944 D9BA 62C2 7408 9BE8 Dave Leifer This key is due to expire on 2008-03-11. Do you want your signature to expire at the same time? (Y/n) n How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don't know what to answer, enter "0". (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking. Your selection? 3 Are you really sure that you want to sign this key with your key: "Todd A. Lyons (Cannonball) " I have checked this key very carefully. Really sign? y You need a passphrase to unlock the secret key for user: "Todd A. Lyons (Cannonball) " 1024-bit DSA key, ID AE127015, created 2001-04-14 Password: [todd@trip ~]$ ============================================================================ 6) After repeating step five for each and every double-marked ID on your worksheet, run the following command to export your newly created signatures to a format suitable for me to handle. $ gpg --no-default-keyring --keyring scale.gpg --armor --export > scale.asc 7) Mail that file as an attachment or cut/paste it into a message to me at 8) Once everyone has gotten back to me (or a week has gone by) I'll take all the signatures I have received, collate them, and send you each a copy of these combined signatures in a file named scale-sigs.asc. 9) Save this file in your ~/.gnupg/ directory and then you can --import this into your normal public keyring. That way you won't have to specify --keyring every time. You may safely delete the scale-sigs.asc file and the scale.gpg and the scale.asc files. 10)When you import those signatures on to your ring, don't forget to update your published copy of your public key on your web page. (or if you are so inclined you can upload your own key to one of the many public key servers out there.) Thanks everyone for participating and here's some tips for improving your web of trust. * Hold a KSP for you LUG, there's a HOWTO available online at . * Bringing a couple copies of your fingerprint to your local LUG meeting just in case you see someone new. When you say hi, just give them a copy and a peek at your ID. Instant web of trust. * Attend KSPs of nearby LUGs. This ties your LUG to others in the area. * Be diligent when verifying someone's identity. Remember when you sign a key you are telling the world that you belive that person to be who their key's UID says they are. * Sign your mail. Set an example by doing. * Learn more about GnuPG by reading through the documentation online at * Teach others what you know about GPG. The two tips I had for your ~/.gnupg/options file are to add an 'armor' entry on a line by itself so that you get armored output by default, and to add a Comment entry telling people where they can download a copy of your your public key. Here are the relevant lines from my personal config: armor comment "http://www.mrball.net/todd.asc" If you have questions about using GPG, I'll answer them if I can, otherwise there are the online fora linked to off of the GnuPG web site. I'm happy to respond to questions, just please be understanding if it takes a while. I get over 100 emails a day. It was a pleasure seeing you all at SCALE and I hope to see you all again soon. Blue skies... Todd P.S. Those of you that verified my identity at the KSP, after you finish signing my key try running this email through. Normally on a verified message from an unsigned key, you get a 'Good' signature message but a warning saying it's an untrusted key. Now you should get a 'Good' signature message without that warning now.