-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for the long delay, but here (finally) are the notes, links, scripts, etc. I promised at the meeting a few weeks back. If anyone's interested, I've included my string of excuses as well.[1] I have now signed and mailed the keys for everyone who participated in the verification. Thanks to those who've done the same for me. If you were part of the key signing and haven't received all of the necessary signatures from me, let me know. I found out as the messages went out that the script was using "localhost.localdomain" in the SMTP greeting. The script I used was "CA - fire and forget (CAFF)" from: http://pgp-tools.alioth.debian.org/ Debian users can find this and other scripts in the "signing-party" package. As a non-Debian user I spent some quality time with Subversion, yum, and cpan2rpm to get it working. I think the hardest piece to track down was perl-GnuPG-Interface, which is available from Dag or RPMForge[5]. CAFF is a handy script that does exactly what I have previously done with some ad-hoc shell scripting. Given a list of key IDs it fetches each one, prompts you to sign it, strips off excess signatures, and mails it, encrypted, to the appropriate UID address. Another option which I have seen used is CABot: http://cabot.alioth.debian.org/ This is a more complicated challenge-response system which in earlier versions produced much annoyance. Although its verification method is arguably more secure, it's not what I was looking for. You may find it appropriate if you have any doubts about the validity of the address on a key. As I mentioned at the meeting, I decided to create a separate key set for my work identity. Since my home directory is out of my control (for the first time in YEARS), I keep my secret keyring on a removable drive. While there are several ways to accomplish this, the simplest working solution was to move secring.gpg from ~/.gnupg to a USB key and create a symlink back. As long as the USB drive always mounts to the same point[6], it just works. GnuPG can still verify signatures and encrypt to other public keys, even if you don't have the secret keyring available. Remember, as always, to keep a safe backup of your secret keys and revocation certificates. If the only copy of your key is on a USB drive and you lose or damage it, your only option will be to create new keys and start over. Some useful links: https://keyserver.pgp.com The PGP Global Directory One of the "next generation" key servers. If you've uploaded a key to a public server lately you might have received a verification message from the Global Directory. This service provides some certainty that a key belongs to a given e-mail address, but not much more. The Global Directory is also the only key server that I know of which deletes key data after it expires. GnuPG 1.4+ is required to talk directly to the PGP Global Directory. http://www.gswot.org The Gossamer Spider Web of Trust GSWoT is an effort to provide a centralized verification authority to the PGP model. It's similar to the Notary concept used in x509 systems. http://www.gnupg.org The GNU Privacy Guard home site http://www.gnupg.org/gph/en/manual.html The GNU Privacy Handbook This is probably the best primer on PGP/GPG I've seen. It may not cover all the latest features, but the basics haven't changed in years. - -- Matt Brodeur RHCE MBrodeur@NextTime.com http://www.nexttime.com PGP ID: 2CFE18A3 / 9EBA 7F1E 42D1 7A43 5884 560C 73CF D615 2CFE 18A3 Why use a big word when a little dirty one will do? [1] As I mentioned at the meeting, I had just returned from Red Hat orientation that morning. The troublesome laptop I had with me, on which I would normally be signing keys and sending mail, proceeded to become worse. Work days have been a total loss due to trying to learn everything in my first two weeks[2]. Last weekend was lost to a GNHLUG organizational event[3] and laptop repair attempts[4]. This weekend I finally got back to some semblance of normality. [2] I haven't even been reading personal mail on work days recently. That's a really bad sign for me. [3] Alas, it conflicted with the BLU BBQ. Once again I failed to be in two places at once. [4] Unsuccessful, of course. Said laptop now needs at least a new keyboard, and possibly a new motherboard. My skills at reattaching a surface-mount 20-some pin connector will determine how much that repair will cost. [5] http://dag.wieers.com/packages/perl-GnuPG-Interface/ http://rpmforge.net/user/packages/perl-GnuPG-Interface/ [6] Recent Linux distros that automount USB devices will use a mount point based on the device's filesystem label. Naming your USB key something unique (ie, "MBrodeurs512MBUSBDrive") can ensure it will always get the same mount point. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDE6Bjc8/WFSz+GKMRAmSHAKC3Rk05oCZA3moG24TiDTd9LT4vDACgs+ff nDed6V7/2ZPrkI4e2XJHtpU= =LS4Y -----END PGP SIGNATURE-----