-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, all:
I collected 46 keys from 40 people interested in keysigning at the
Kernel Summit. I have uploaded the fingerprints and the pubring to the
following locations:
https://www.kernel.org/ks2012-fingerprints.txt
https://www.kernel.org/ks2012-pubring.gpg
This is the sha256sum of the pubring:
bbb816d955c3939c72985175b0ea4f8781662f70d8a0fa9b0985391403a0fe79
You can import the pubring using "gpg --import" command.
WARNING: just in case someone jumps the gun -- these fingerprints were
taken at "face value". I DID NO VERIFICATION WHATSOEVER whether these
keys belong to the actual people. DO NOT sign any of these keys
without the verification procedure at the Kernel Summit. My GPG
signature on this email is in no way an endorsement of these keys.
Here's how the procedure will play out:
1. Before lunch on Wednesday, I will take 5 minutes of your time to
introduce myself and to recite the sha256sum of the pubring available
for download from the link above. People with laptops capable of
downloading the pubring and running "sha256sum" (should be about 95%
of the audience, I think) can validate whether the hash verifies.
2. I will also make available printed worksheets with people's names
and key fingerprints (or print your own -- see attached).
3. If you are willing to sign people's keys, please obtain from me a
copy of the worksheet, a short pencil, and a stylish sticker [*]:
a. Affix the stylish sicker to your KS badge to indicate that
you're willing to sign keys.
b. Fold the worksheet and keep it in your KS badge. [**]
c. Keep the brass lantern^W^W short pencil in your badge, too.
4. During lunch and later during the day, if someone approaches you
and asks to sign their key:
a. Keep calm.
b. Locate their name on the worksheet.
c. Ask to see some government-issued ID to verify their identity.
d. Alternatively, ask personal/kernel-related questions which only
that person would be able to answer (see Harry Potter books 6 and 7).
5. If you are comfortable in asserting that the person asking your
signature is who they say they are, put an "X" next to their name on
the worksheet using the pencil provided (or an alternative writing
utensil should there be a dearth of pencils).
6. When you get back to your laptop, run "gpg --sign-key [keyid]" for
all the people marked "X" on your worksheet. The key id is the last 8
chars of the fingerprint smushed together. [***] If a person has
multiple fingerprints, sign all their keys.
7. Lastly, do "gpg --send-keys [keyid]" to upload the newly signed key
to the keyservers.
.. [*] what will be on the stickers remains to be established.
.. [**] assuming it's not a fully laminated badge without openings.
.. [***] This assumes you ran "gpg --import ks2012-pubring.gpg" prior.
If you have any questions, please let me know.
Best,
- --
Konstantin Ryabitsev
Systems Administrator
Linux Foundation, kernel.org
Montréal, Québec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQGcBAEBAgAGBQJQOHMDAAoJEI6WedmufEle5RUL/jYf3ldhvaokFEVxaNmclLqe
RHbqO2jpxho+nkRwDvHRIdr4NGvvRsD2JQFPkR86qDpp9oASQ/gG+SaanL4sDBrh
Q+6nJwRKMSulIauWlnS5fP9jGw/ye0RT2Q6nNP/yCSYxxhe+vImmObN1AtzfTtfs
/U5MQf0iCla/kvyS1Qv5DVw4IGdm+e3KHWCBQG8qh0aahnq4tmaYdv4vjI0ZJ35n
otUzQOpiDKQBfbMaE3Gl9xrAbKNUvtdPA4GOjo2MhDCZeqDLLYGtDK4gr4zUJt9p
gHdVG4KQxkulKW/6TTIJTfBbEL86UnRWaO/8T9+vxovecrkowfIWKj9LeK1bbczp
6C2FVRq6dWEh7fhOFQo/CPFLVBqb+volIFcHOYWmUDmrgGUAVw9BqyWEJE+hKMLs
u6cuUZCNEpEsFqye4hNuC3OkJ19jVKr1wtmOAt7XxedskPGOAdnDtbe7/ElWmEtG
HpAwOwX1OX62L/YrNTTky6Zg1czzQPaJxLvOysfwrQ==
=/bJM
-----END PGP SIGNATURE-----
On Fri, Aug 24, 2012 at 11:39:03PM -0700, Konstantin Ryabitsev wrote:
> 6. When you get back to your laptop, run "gpg --sign-key [keyid]" for
> all the people marked "X" on your worksheet. The key id is the last 8
> chars of the fingerprint smushed together. [***] If a person has
> multiple fingerprints, sign all their keys.
Well, this can be made to work, but it's a bit clumsy. People will be
verifying their fingerprint against the sha of the keyring. The pdf
file isn't trusted (although each person could verify it, if desired).
This means that each person I want to sign, I have to assure that
their signature matches the one in the signed keyring, and to make the
worksheet useful, I have to also verify that the fingerprint on the
worksheet matches.
Some may find it useful to print out the worksheet themselves along
with its hash, and we can verify the sha256 hash of the pdf file.
David
--
Sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum.
On Fri, 2012-08-24 at 23:39 -0700, Konstantin Ryabitsev wrote:
> Hello, all:
>
> I collected 46 keys from 40 people interested in keysigning at the
> Kernel Summit. I have uploaded the fingerprints and the pubring to the
> following locations:
>
> https://www.kernel.org/ks2012-fingerprints.txt
> https://www.kernel.org/ks2012-pubring.gpg
>
> This is the sha256sum of the pubring:
> bbb816d955c3939c72985175b0ea4f8781662f70d8a0fa9b0985391403a0fe79
>
> You can import the pubring using "gpg --import" command.
>
> WARNING: just in case someone jumps the gun -- these fingerprints were
> taken at "face value". I DID NO VERIFICATION WHATSOEVER whether these
> keys belong to the actual people. DO NOT sign any of these keys
> without the verification procedure at the Kernel Summit. My GPG
> signature on this email is in no way an endorsement of these keys.
>
> Here's how the procedure will play out:
[...]
You seem to have missed step 0:
Verify your own key fingerprint in ks2012-pubring.gpg by comparing:
gpg --fingerprint $KEY_ID
gpg --no-default-keyring --keyring ./ks2012-pubring.gpg --fingerprint $REAL_NAME
(Normally, people would verify their key fingerprints in
ks2012-fingerprints.txt, but unless we also agree the sha256sum of that
then no-one can rely on the contents of that file as more than a
checklist.)
Ben.
--
Ben Hutchings
Experience is what causes a person to make new mistakes instead of old ones.
On 26/08/12 09:42 AM, Ben Hutchings wrote:
> You seem to have missed step 0:
>
> Verify your own key fingerprint in ks2012-pubring.gpg by comparing:
>
> gpg --fingerprint $KEY_ID
> gpg --no-default-keyring --keyring ./ks2012-pubring.gpg --fingerprint $REAL_NAME
Yes, you are correct. I'll send a mass mailing to all people who
submitted their keys to remember to do that step -- I meant to do that,
but got busy doing all the datacentre stuff.
Thanks for the reminder.
Best,
--
Konstantin Ryabitsev
Systems Administrator
Linux Foundation, kernel.org
Montréal, Québec