中文內容在後面

What is a Key Signing Party? Why it matters?

A key signing party is a get-together of people who use the PGP encryption system with the purpose of allowing those people to sign each other's keys. Key signing parties serve to extend the web of trust (WoT) to a great degree. Key signing parties also serve as great opportunities to discuss the political and social issues surrounding strong cryptography, individual liberties, individual sovereignty and even implementing encryption technologies or perhaps future work on free encryption software.

This key signing party will use Zimmermann-Sassaman protocol for efficient key signing.

How to attend a Key Signing Party?

Send us your public key

First, participants should have your own key that uses 4096/RSA or stronger algorithm. If you don't have one, or you have a weaker one, please create your key following this guide.

Please confirm that your ~/.gnupg/gpg.conf has the following lines:

digest-algo sha256
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Then, provide your clean, armored, minimized and clear-signed public key using this command output:

$ gpg --armor --export-options export-clean,export-minimal --export "Your Key ID" | gpg --local-user "Your Key ID" --clearsign > YourKeyID.txt

Send an email to mwei@lxde.org with YourKeyID.txt attached no later than Jun 23, 23:59 UTC+8, preferably with email titled [KSP] Your Name.

Your keys will be processed manually, and if the submitted keys are valid, the key IDs will be listed in https://m-wei.net/stretch-rp-tpe/ksp-participants.html. If your key is not listed within 24 hours, Please send an email to mwei@lxde.org again to poke the coordinator.

Prepare the list of keys

On Jun 24 in the morning, the coordinator will release the key list, along with its SHA256 hash and the signature. Please download these files, and verify its hash by this command:

$ sha256sum stretch-rp-tpe-ksp.txt

You can also use gpg command:

$ gpg --print-md sha256 stretch-rp-tpe-ksp.txt

Please verify and write down the computed hash before event on the hard copy (i.e. printed paper) of the document, and bring it to the key signing party.

What to bring in the key signing party?

Questions?

For further questions, please email the coordinator:

金鑰簽名會

金鑰簽名會 (Key Signing Party, KSP) 是什麼?很重要嗎?

「金鑰簽名會」是使用 PGP 加密系統的使用者,透過互相簽名金鑰達到互相認證的活動,用以擴展使用者之間的信任網路 (Web of Trust, WoT)。Debian 相當仰賴 PGP 作為信任機制,每一包 Debian packages 都會有上傳者的簽名,而上傳者的金鑰至少要有一位 Debian Developer 簽名背書。這也可以是討論加密系統、個人自由、個人主權、或甚至討論加密方法實做的恰好時機。

為了加快互相信任的流程,本次活動會使用 Zimmermann-Sassaman 協定

如何參加 KSP

將您的公鑰寄給我們

首先,參加者的金鑰必須要是 4096/RSA 以上強度的金鑰,如果您手上沒有 PGP 金鑰,或是達不到 4096/RSA 強度的,請參考 這個網頁 重新生成一個。

請確認您的 ~/.gnupg/gpg.conf 有以下設定:

digest-algo sha256
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

之後,請用以下指令輸出簽名過的公鑰(請將 Your Key ID 換成您的 fingerprint (金鑰指紋) 後 16 碼):

$ gpg --armor --export-options export-clean,export-minimal --export "Your Key ID" | gpg --local-user "Your Key ID" --clearsign > YourKeyID.txt

請將產生出來的 YourKeyID.txt 附件寄給 mwei@lxde.org,標題建議為 [KSP] (您的大名),截止時間為台灣時間 6 月 23 日 23:59 前。

您的金鑰將會人工受理。如果您的金鑰正確無誤,將會加入到 https://m-wei.net/stretch-rp-tpe/ksp-participants.html 網頁中。如果信寄出後的 24 小時內沒有列出,請再寄信給 mwei@lxde.org 提醒。

準備金鑰清單

在 6 月 24 日早上,主辦人會公開 金鑰清單,及其 SHA256 雜湊雜湊的簽名。請下載以上檔案並以以下指令驗證:

$ sha256sum stretch-rp-tpe-ksp.txt

您也可以使用 gpg 指令:

$ gpg --print-md sha256 stretch-rp-tpe-ksp.txt

請比對並在印出的 stretch-rp-tpe-ksp.txt 紙本上寫下來,並將該紙本帶到金鑰簽名會上。

要攜帶什麼到會場?

聯絡人

若有其他問題,請寄信給: