Meeting people for keysigning - using Biglumber

Posted by chris on Tue 28 Nov 2006 at 07:20

You've set up gpg and can now use it for signing and encryption - but how to go about getting your key signed so that you are not only relying on the web of trust?

However - there are services available that allow you to organise meets with other people from your area - or when travelling.

Here we'll look at one of them - Biglumber.

Preparation

First - we need to prepare. When meeting - you will need to be able to provide information on your key as well as a mutually agreed proof of identity (hint - its a real help if you remember that the proof of ID should relate to the key in some way. There's no point me turning up with our illustrious webmaster Steve's key and proof that I'm Chris!).

Some people write out the key details - but - the debian project has a utility to help its users at keysigning events. This is just as useful for us as normal debian users.

Lets install the signing-party package.

aptitude install signing-party

This will provide us with the gpg-key2ps binary.

For example - using my key:

gpg-key2ps 224A5434 > chris.ps

If you want this as pdf instead - you can use the ps2pdf binary from the gs-common package (at least - thats where I find it on my unstable box)

This will provide you with a page full of small notes - each with all the key details you want.

Registration at Biglumber

Head on over to www.biglumber.com and hit the "Add your key" link. You can either export your key as guided - and paste it in - or - if it is already on a keyserver - just give the ID. This will cause the site to send you an encrypted mail with login details. Note - this will send the mail to the e-mail address for the key.

When the mail arrives - decrypt it to get the password. Then head to the login link at biglumber and login.

Biglumber have four types of entry - personal (permanent), personal (temporary - used for e.g. visiting an area), event (permanent - that is - recurring), event (one-time).

So - add your details - and check any others from your area - send them a mail - and organise a meet :) Remember when you head off to take:

• Your key details
• Your proof of ID
• Details of where and when to meet
• And - if the key contained an image - perhaps that will help you recognise the other party :)

A matter of courtesy - when you've got home - and the key details you've been given to check all check out - sign the public key of the other party and send it to them - don't leave them waiting weeks for it.

You could also choose to use biglumbers key exchange - you both agree to add the signed key to that server using the key exchange page and it will only deliver the signed keys to each party when both have delivered.

You can get biglumber to mail you of new keys, or there is a general mailing list or an RSS feed. When travelling - you can just hop on to the site and check your destination.

As a side note - even if you're not a biglumber member - if you're in Oslo or heading there on a visit - you're welcome to mail me and ask to meet up for a key exchange - just grab my key from a keyserver (224A5434) and send me a signed mail :) We can take it from there.

More info on this topic:

• Debian Keysigning
• Debian GPG Signing Coordination page - for people going through the debian new maintainer process

This article can be found online at the Debian Administration website at the following bookmarkable URL:

• http://www.debian-administration.org/articles/468

This article is copyright 2006 chris - please ask for permission to republish or translate.