Educause Security Professionals 2017 Conference - PGP Key Signing

Quick link:Upload your public key here

Denver, CO; Tuesday, May 2, 2017

A PGP key signing party will be held at the EDUCAUSE Security Professionals Conference on Tuesday, May 2, 2017 6:30 - 7:30pm. Refer to the conference agenda for location.

The event is being coordinated by REN-ISAC, specifically Brian Epstein, Ken Connelly, and Don Becker. Questions or comments can be so directed.

A Key-Signing page has been set up to manage the collection of public keys. REN-ISAC members can log in using their REN-ISAC credentials. Non-REN-ISAC members can email soc@ren-isac.net to get a username/password for the Key-Signing page or email a copy of their public key to Ken Connelly or Brian Epstein for inclusion in the keyring.

ALL Educause Security Conference attendees are welcome to join the event - it's not limited to REN-ISAC members

Before 12:00pm (noon) the day of the event:

In order to share your public key information at the event you must complete the following three steps before 12:00pm the day of the event. If the steps aren't completed, you can participate in the confirmation of other persons' keys, but cannot share your own.

1. If you don't already have PGP, acquire and set up PGP:
   • GnuPG (free PGP software for Windows, Mac, UNIX, etc)
   • PGP (commercial PGP software for Windows, Mac, UNIX, etc)
   • If you're using the Thunderbird mail client and choose GnuPG, you'll probably want to use the EnigMail interface extension.
2. Extract your PGP Public Key. Refer to your PGP software's documentation for details; you are looking for a public (not private!) key extracted in "ASCII-armoured" format.
3. Add your Public Key to the event keyring. Do this by going to the Key-Signing page, clicking on "Add new GPG Key", then either
   • click on I want to submit a key block and pasting your ASCII armored public key block
   • click on I want to upload a key (.asc) file and upload a file containing your ASCII armored public key

Attending the Key-Signing Party

1. You must bring:
   • Sufficient photo-id to convince others that you are who you claim to be (e.g. drivers licence, passport).
   • A printed copy of your PGP public key fingerprint, from a known-trusted copy of your key, or other trusted means to be able to recite your public key fingerprint.
   • A pen.
2. Pick up a copy of the keyring printout from the pile. Locate your own key on the printout.
3. In turn, each of those attending the party introduce themselves by name, and indicate which key (or keys) on the keyring printout is theirs. They then read out their key fingerprint from their own trusted copy, and everybody verifies that this agrees with the fingerprint listed on the keyring printout. Make a notation on your copy of the printout for each "fingerprint verified" in this step.
4. Once everyone has had a chance to read out their key fingerprints, people then proceed to introduce themselves to people they don't already know, and allow their identities to be verified (e.g. against photo id). Make a final notation on your keyring printout for each "identity verified".

The Day After or Beyond

At some point after the key signing party, using your keyring printout as a guide, you should sign the keys whose authenticity you were able to check. This strengthens the web of trust, and makes PGP more useful.

1. Retrieve the PGP Keyring and import it into your own keyring.
2. Check the fingerprints of the downloaded keys of those individuals who your were able to get "fingerprint verified" AND "identity verified" (on your keyring printout).
3. If the fingerprints match, sign the key. If the fingerprints don't match, or if you don't have fingerprint and identity verified for a key downloaded on the keyring - DELETE that key!
4. E-mail a copy of the signed key back to the key's owner.
5. Don't upload signed keys to a public keyserver. Leave it to the key owner to choose how he or she wishes to manage that