Skip to content
This repository has been archived by the owner on Jan 29, 2019. It is now read-only.

WIP: first attempt at instructions #52

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 108 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,111 @@ Install an OpenPGP implementation:
to a package called `gnupg2`
* Android: https://www.openkeychain.org/
* iOS: https://privacyapp.io/

## After the event

You should now have a table with a set of validated fingerprints and ids. You
can use this to now sign any of those identities that you have personally
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe highlight the words "personally validated"

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good plan

validated.

This guide is written assuming you have `gpg2` installed as `gpg` if any of
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These instructions work on which platform?

Copy link
Collaborator Author

@graingert graingert Nov 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any with a terminal, a sh like shell (bash/zsh/PowerShell ish), and gpg 2+ installed,

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should explicitly say what ios/android/windows should use

these commands fail, you can try using `gpg2` instead.

### The table

An example of a filled in table, noting validated fingerprints:

| name | fingerprint | fp verified | id verified |
| --------------------- | ---------------------------- | ----------- | ----------- |
| Elizabeth Mathis | aaaa aaaa aaaa aaaa aaaa ... | no | n/a |
| Kimberly Duncan | bbbb bbbb bbbb bbbb bbbb ... | yes | yes |
| Amy Lambert | cccc cccc cccc cccc cccc ... | yes | no |
| Bill North | dddd dddd dddd dddd dddd ... | yes | William |

### Anatomy of a PGP identity.

PGP identities are RFC2822 email address headers, they include a name, an
optional comment and a mail address:

```
John Smith (this is a test) [email protected]
└────┬───┘ └──────┬───────┘ └────────┬────────┘
name comment mail
```

### Importing the keys.

I've includes a file in this repository `./keys.asc` that contains a dump of
every key that was submitted to this repository over the course of PyCon UK.
Do not sign every one of these keys: some of them you may have validated, some
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

embolden Do not sign every one of these keys

of them you may not have. Only sign the keys with fingerprints that you have
personally validated.

To import the keys on the command line run:

```
gpg --import path/to/keys.asc
```

### Sigining the keys.

For each of the fingerprints you have validated run:

```
gpg --sign-key --ask-cert-level --ask-cert-expire <fingerprint>
```

### Choosing a certification level.

You will be given the option to choose a "certification" level this is a value
that you should personally choose:

For example:

* if you have marked a fingerprint as not `fp verified` do not sign.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you have NOT marked a fingerprint as fp verified DO NOT SIGN

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently you have these a little out of order from unknown -> full verification. I feel that having them in order of trustiness might be more intuitive. Alternatively, maybe a diagram would be more helpful?

* If you have marked a fingerprint as `id verified` and you are very sure of
this person's identity pick 3 (I have done very careful checking).
* If you have marked a fingerprint as not `id verified` then you may want to
choose 2 (I have done casual checking), Unless you feel that person has
sufficiently convinced you of their identity using other means, then you may
wish to choose 3 (I have done very careful checking) anyway.
* If you have added extra notes, eg this person claims to be called "Bill North"
but their ID claimed that they are "William North" you will have to make your
own judgment call on which certification level to assign.

If you feel you want to mark every fingerprint as 3 or 2 that's totally up to
you. The certification level should be up to your own judgment and your own
trust in your ability to carefully validate fingerprints and identities.

### Sending your signature to the key owners

Debian signing guidlines recommend encrypting your signature and sending it
on a case by case basis to each participant:

```
gpg --armor --export <fingerprint> | gpg --encrypt -r <fingerprint> --armor --output <fingerprint>-signed.asc
```

Another easier option is to run:

```
gpg --send-keys <fingerprint>
```

for each fingerprint of the keys that you have signed.

Unless the person you are signing has specifically requested that you send
the signature in a specific way, you are free to choose the method.


### See what happened

If you periodically run:

```
gpg --recv-keys
```

Or search for your own key on a keyserver, you will be able to see the
signatures you have made and those that others have made in an ever expanding
web of trust!
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should add a feedback address like: "What would you like to have next year" or something like that?