July Meet and PGP keysigning party

[Raj Mathur <raju@xxxxxxx>]

Hi All,

At the next Linux-Delhi meeting we plan to have a PGP key-signing
party (no, a keysigning party doesn't necessarily mean beer and
snacks!).  I'm sending this message to other lists too, in the hope
that we can organise similar activities in other cities. Cybercomm
moderator, please post this message on your list.

The next Linux-Delhi meeting is on Sunday, 18th July 1999 at the Delhi 
College of Engineering.

Here's some quick dope on PGP and the key-signing part of it.

** What is PGP?

PGP (which stands for Pretty Good Privacy) is a tool which allows you
to encrypt data (typically e-mail) so that it is not viewable by
anyone except the person it's meant for.  PGP is also used to
unambiguously electronically sign documents so that the identity of
the creator/originator of the document can be proven.  As you can
guess, PGP is useful for sending e-mails which should only be read by
the addressee, and/or which should be clearly be proven as having
originated from you.  There are other uses too -- e.g. RPM packages
can be signed with PGP so that any tampering with the package can be
detected.

** How does it work?

PGP uses public-key cryptography, which means that everyone has two
keys -- a ``Public Key'' and a ``Secret Key'' (a key is nothing but a
string of characters which are fed into the encryption algorithm to
obtain an encrypted result.  The same document encrypted by the same
method but with different keys will yield different results).

The keys complement each other, which means that anything encrypted
with your public key can only be decrypted with your secret key, and
anything encrypted with your secret key can only be decrypted with
your public key.  This is the heart of PGP and all Public-Key
Cryptography, so don't forget it!

You make your public key as easily available to others as possible --
put it in your .plan for finger, put it on your web page, send it to a 
PGP keyserver, publish it in the newspaper, etc.  You never ever
reveal your secret key to anyone.

The rest is trivial.  If you want to send me a private (For Your Eyes
Only) e-mail, create your message, encrypt it with my public key and
send me the message.  Since the message is encrypted, no one who
intercepts (e.g. the root user on VSNL's mail server :-) will be able
to read it;  since it is encrypted with my Public key, I will be able
to decrypt and read it using my Secret key (remember?)

Similarly, if you have to sign a message to me, encrypt it with your
Secret key.  When I receive the message, I'll try to decrypt it with
your Public key.  If it decrypts then the message must be from you,
since only you (who know your Secret key) could have encrypted it.  If
there's a problem in decrypting then either the message is a forgery
or someone tampered with the contents of the message on the way.

** Where do I get PGP?

You can download source for PGP 5 for Unix or PGP 6 for Winduhs from

	http://www.pgpi.com/

If you're on Linux, you can get .deb's and .rpm's etc.  I used the
following query to search for them:

	http://www.altavista.com/cgi-bin/query?pg=q&kl=XX&stype=stext&q=%2Bpgp+%2B%28deb+rpm%29

I found an RPM of PGP 5 at:

	ftp://ftp.replay.com/pub/replay/pub/linux/redhat/i386/pgp-5.0i-7.i386.rpm (doesn't work half the time!)

...and a DEB at:

	http://ftp.uevora.pt/debian-non-US/potato/binary-i386/pgp5i_5.0-3.deb

** How do I run PGP?

I can do no better than to point you to the Linux PGP HOWTO:

	http://members.aa.net/~rubino/pgp.html

In order to be a part of the key-signing party, you just need to have
generated your public and secret keys and got the relevant information 
(detailed under) to me.

** Why does my key need to be signed?

Since the 'net is the most popular method of distributing public keys,
it's as easy to tamper with keys as it is to tamper with messages --
thereby defeating the very purpose of PGP itself!  So it's important
that you do not trust bare keys which you have got from the Internet,
unless (a) you have contacted the owner of the key seperately *and via
a different medium, e.g. phone, fax or snail-mail* and verified the
key actually belongs to him/her, or (b) verified that the key is
signed by someone you trust.

A key signature is nothing but a sort of affidavit from someone that
they believe that it (the key) actually belongs to the person it is
supposed to belong to.  Thus if I know you and have your key details,
I would be willing to sign your key, effectively telling the world,
``Yes, I believe that this key really belongs to Your Name''.  Now
when someone accesses this signed key over the 'net, they see my
signature on it and think, ``Hey, Raju believes that this key belongs
Your Name, and I trust Raju's judgement, so I'm willing to accept this
key''.  Of course, they could also think, ``Raju believes this is Your
Name's key, and I think Raju is a big liar and completely
untrustworthy, so I will definitely not use this key to correspond
with Your Name'', but that's more unlikely (I hope!).

** So what's a keysigning party after all?

First of all, it's not a party in the normal sense of the word!

At a PGP keysigning party, all the people present must make some
information available to the party host (in this case, me) before the
date of the party.  At the party itself, this information will be
available in printed format to everyone.  Each person interested in
having his/her keys signed then has to prove that they actually are
that person, e.g. by means of a driving license, a passport, credit
card with photo, etc. and to orally verify that the key details on the
printed paper actually are his/hers.

Once you are satisfied as to the identify of the people present, you
can go home, get their keys (by whatever means), sign them and then
upload the signed keys to me.  I will then redistribute the signed
keys to their owners, who can then upload them to the standard
places.

** What information do I need to provide, and when?

1. In order for you to be part of the keysigning process you must make
the following information available to me LATEST BY Wed, 14th July
1999:

	o Primary user-ID of the key (e.g. Raju Mathur <raju@xxxxxxx>) 
	o Key size and key type (e.g. RSA/768)
	o Key ID (e.g. 0x83E874DD)
	o Key Fingerprint (e.g. F2 D4 4A 21 27 B0 63 FF  15 97 9D AE 9D 40 BC B8)

All this information is available using the command ``pgpk -ll <your
name>''

2. After the ``party'', you must sign all the keys you wish to and
send them to me NO LATER THAN Sunday, 15th August, 1999.  I will
redistribute the keys to their owners.

** What other resources are there to help me learn about PGP and
keysigning parties?

PGP:

	http://www.pgpi.com/

A specific keysigning party (I got my info from here):

	http://ftp.nl.net/events/sane98/keysigning-party.html

PGP keyservers:

	http://www.pgpi.com/services/keys/keyservers/

Keysigning Party Guide:

	http://www.herrons.com/kb2nsx/keysign.html

Or send a mail to the list or to me.

Copyright (C) 1999, Raju Mathur as per the terms of the GNU General
Public License v2.0 or any later version.

Regards,

- -- Raju
- --
       Raj Mathur / Web Technical Support / Silicon Graphics / New Delhi
                  +91-124-349811         /    raju@xxxxxxx  / 551-7228
            http://reality.sgi.com/raju / Not necessarily speaking
           PGP: F2 D4 4A 21 27 B0 63 FF | for Silicon Graphics.
                15 97 9D AE 9D 40 BC B8 | It is the Mind that Moves

- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/
Please do not post HTML email to this mailing list.  HTML mails will be
thoroughly ignored and derisively sniggered at in private.

------------------------------