Keysigning
From StackWiki
Contents |
PGP, CAcert and Thawte assurance at Stack
From time to time the Stack SHoBo will be combined with a so called PGP key signing party. However on every regular SHoBo there will be plenty people present who are willing to formally confirm your identity for PGP, CAcert and/or Thawte web-of-trust assurance.
A PGP key signing party is an occasion where people interested in security get together to verify and confirm each others' PGP signing keys. If you want to take part, it is advised to email your public PGP key fingerprint to pgp@stack.nl in advance, so that Stack can arrange for plenty hardcopies to be available. Apart from PGP signing, there will be several CAcert assurers present. These assurers can verify your identity and grant you points for free SSL certificates from CAcert. These certificates can be used for e.g. email signing and encryption (as an alternative to PGP), but also for website authentication and encryption (https). If you are interested, please register in advance on the CAcert website. Some of these CAcert assurers are Thawte notaries as well. This means they can also issue points for the Thawte web-of-trust. For Thawte you should register on their website and grant these notaries access to your details later.
What is PGP?
PGP, Pretty Good Privacy, is a method for the encryption of (email) messages, so that nobody except the intended recipient can read this message. It is also possible to cryptographically sign your messages so that the recipient can verify that the message really originated from the correct person.
GPG, GNU Privacy Guard, is an open source program to administer PGP keys and encrypt/sign messages. For those not familiar with GPG, the Dutch website GnuPG in 5 minuten is a good starting point. This tutorial includes an overview of all important gpg commands with a clear explanation.
During a so called "PGP/GPG key signing party", people get the opportunity to verify each others PGP keys. During the SHoBo you can let the other attendants confirm that your PGP key (fingerprint) really matches your name and identity. After the party one can check the verified fingerprints with online information and sign other people's public key to indicated to the world that you have checked his/her identity. This signed PGP key may be published using a public PGP keyserver. A key that has been signed by other people is more trustworthy than "just anything uploaded to the internet", especially if you know the people who have signed the key.
If you want to join a SHoBo key signing party, remember to bring along paper slips with your PGP key fingerprint and a valid identification card or passport. The PGP key fingerprint can be generated with gpg --fingerprint myemail. Note that the entire output of this command is relevant to others, so print it out completely and bring plenty copies.
If you contact pgp@stack.nl before the SHoBo and sent them your key fingerprint, then they will make sure that plenty printed copies are available for all those who plan to attend. An electronic version of all submitted public keys and fingerprints may be be sent out after the SHoBo (on request).
What is CAcert?
CAcert is a non-profit organisation that gives out free X.509 certificates. Such a certificate can be used to digitally sign or encrypt your email (using the S/MIME standard). They also give out server certificates that can be used to facilitate encrypted connections for servers, for instance a webserver using https.
Many organisations give out these SSL certificates (e.g. KPN, Verisign, Thawte), but most of them ask a lot of money for this service. CAcert offers a good alternative where users verify and validate each others identity - trust is build up using a web-of-trust, much like the PGP web-of-trust. This means that 'trust' in persons (and their certificates) increases as more people validate this person.
For validation during the SHoBo, users should fill in an "identification form", which will be available at the SHoBo. You'll need to fill in your name, date of birth and email-address. Your email address must match your CAcert website login (create that first if you don't have a login account). Remember to bring along a valid ID (preferably two, e.g. passport and driver's license), so that the "CAcert assurers" can verify your identity.
What is Thawte?
Thawte is a South-African company that focuses on online security services. Apart from commercial sales of SSL certificates, Thawte also offers free email (X.509) certificates. Using the web-of-trust principle, one can obtain validationpoints for this. The system is very similar to the CAcert points system. The advantage of Thawte is that their root-certificated is included in many common applications by default. However unlike CAcert, Thawte does not issue free server certificates.
At the SHoBo several "Thawte notaries" will be available to verify your identity. If you wish to participate, please register in advance on the Thawte website and email your registration ID (usually an emailaddress) to pgp@stack.nl. Then we can arrange for the notaries to obtain forms that have your details filled in in advance. The rules for Thawte assurance are stricter than for CAcert: apart from the requirement for 2 valid ID's, each notary must keep a copy of one of your identification papers.
Thawte is terminating their web-of-trust service and stops issuing free personal certificates in November 2009.
