Key-signing party!

[Ian Maxwell]

Here's the idea:

• Post your public key fingerprint here.
• Offer some solid evidence that you own that key. (You can decide what constitutes solid evidence. Or, more accurately, your audience can.)
• We all collect and sign one another's keys, provided we're convinced of their identity.

For example, I just posted the following message in another thread.

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am the real Ian Maxwell with public key fingerprint BFBC8D95. My key is only self-signed, but you can verify it by doing the following:

- - -  Send an email to ian.maxwell@gmail.com with subject line "BFBC8D95" and body text "bitcoin".

- - -  I will respond with a signed message referencing this one.

If you do verify my identity, I ask that you sign my public key afterward.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBTdfdNnO2hWa/vI2VAQJ29BAA5sIRG6i+yrZ9XSGejecHD8bKORebLLfR
4iynImjzs2ecYU6g0E5K3gLZlOnVZmnpRlhaTHgsKl/by55XA7uJq9ITXuurrRQN
2J+J280zbmA+QtbE8ulENfRbmPkPfEmwJEZedLg70rsdHFbt54bUFnlB2pViflRA
wDFBB+o8jB4sc1mRPtxpRfGDMARaGBzXV+xI/NYTUfzpvmfhNeErfPzCqeLttnTo
QCI9y1+vBHnzsyFKi9DMwrMi0C1fy82RVzG0s0/VLqZa4oDcJbJXm/IucAYW64Kz
QbT/3eJ/d7PWhwcWTCefDA96/zT3HT+TyNMdrMoumRcpB6MKT3Sv41xMXsgP1nb4
u/CGZ6NR+lwbPV4GMLahMIM5W41XWD67LlHetPKXlHSjO0VAUmvYiF22nSErQMj1
B6Dq0RQ/8bpqK/WLXOBP/pEMQSC1ZquqDKs72DT8tQkYQmNiMOoC4A+7CcqNyFxz
JFW70Bjmq1fABKLfVs7Au4gu2AJFOofv5u751hMIS2+aumaaRvsxU8f3VGBweaRh
SZFiBk52SGJWVkooYqUSgZXZTphdgmUg3PUSswLrHtJtwuF7H0IkMfStzeejkSys
XFPUZ3YCQc7/Kw3yxSDpLAn2Y4DNSvbcwZFjZN+ZahGMmuli09zORw869Lp7PQ5j
RVTFPiPiUQE=
=o3wJ
-----END PGP SIGNATURE-----

Note: although I'm revealing my offline identity, this is not required! You can use a pseudonymous key if you like, as long as you can prove it's yours. Signing a message with it may be enough.

[1715150921]

1715150921

[1715150921]

1715150921

[1715150921]

1715150921

[FatherMcGruder]

Mulling this over...

[kseistrup]

I'll bite:

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm the real Klaus Alexander Seistrup with public key fingerprint EF41 41A1 2900 CE74 1F0C C704 6EB6 06A3 8851 0169.

To verify my public key, please follow the instructions at http://klaus.seistrup.dk/pubkey_verify.txt

If you do verify my identity, I ask that you sign my public key afterward.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJN1/7UAAoJEG62BqOIUQFpeaoQALNycrUVljIK7u832SUrMpti
ZeDKrLC0MYnCPTaWXxPe1fyDFo3o/06iwDtYl7k1z0epqA9cswxwZdIWv2e9RhHl
u1UXoY2++FdrwhWlJBh2OZtT+W+0TpM5nQ8zbJxYndcB/DktUtz2LeRW2hMvoCbX
9DrydXoDcipQwo9R+UYpjVppYF7XoiBcSNnFmEwADzh7Q0/7r1R4O5d8p23P7CdJ
D+uzaaGTtvIIqhEBJVCVh00K/rLDBYfvpIRQpGtkKAuKdj1JasRdh1A9D0dP0ud5
35NH0yrg6Pg86w5yNnPolSTr23Yaf+CGxWBPFw6OjSq+GHa2DKrImAXZ/M8iV3b1
2FTDvp9cbCwPKZFHcG+6ZN+na0qoenCzfeycWfdJUnaQuF//YA+QNI++fI5+Pj3g
VAz0ONzbak7MaS1L56iQpmmro0o1mYX7BGpiZDV3pOCZ5HYkCTcve3FTo18tsvdF
Geu0+xZpPGw68NXdNJ0qq6ORSlgPwmG+18LibE8aoRbRL4N5fGE8jExtqVuBaEFv
4h5q5fM/q9CYihFzqLDhDc1D0BP3NY6pnVDKfKXWsE/BjPQT57OiPNzc9fXPHdxC
fSf27GfTQivnTGVY+yXXJptLXdZcmhhwrbjuvVT3Wz7o+jR2Be+d6Oi9zclPfc1a
qWvrSIF1pNNt+TnqbUhF
=vgiB
-----END PGP SIGNATURE-----

Cheers,

[kseistrup]

Houston, we have a problem:  Gmail breaks long lines, causing a bad signature.  Dammit, Gmail! 

[Ian Maxwell]

Thanks for figuring out the problem! I was about to post it myself.

I'll have to edit my auto-response to include line breaks for long lines.

[kseistrup]

I just updated my auto-response, too, in order to avoid long lines.

[Ian Maxwell]

Problem: it's still breaking up the signature itself. Never mind, fixed. Try again.

[kseistrup]

Problem: it's still breaking up the signature itself.

Really?  I chose “Show original” on my own auto-response and saved it to a file, then veirified the signature.  Could you try mine again, please?

Cheers,

[Ian Maxwell]

I've tried again and verified (and signed) your key! One of my extensions had stuck an image in the middle of your message, and I forgot to "show original" before checking it.

Mine should be fixed as well now.

[kseistrup]

I've signed yours, too.  I think this is a pretty cool way of holding a key-signing party!! 

Cheers,

[FatherMcGruder]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am the real Kurt Padilla. My public key fingerprint is 5D67 9B6C 3A35 D9B5 5A76 42F9 D188 DC4D FF7E 7CCD.

To verify my public key, please send an e-mail to kurt dot padilla at gmail dot com with "FF7E7CCD" in the subject and "bitcoin" in the body text. You'll then receive a signed response referring to this post.

Once you verify my identity, please sign my key.

Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAk3Yg/sACgkQ0YjcTf9+fM1e1AEAhh11JoSrd11gdArlF9lMvVa1
mLingKrX/HIivvtINj4A/jirwuSwH7WXBb4qM1o5MZSEFWEAcSbMeX9yRdb3u67D
=Nicc
-----END PGP SIGNATURE-----

[kseistrup]

You'll then receive a signed response referring to this post.

If this is supposed to happen automagically, it didn't…

Cheers,

[Matt Corallo]

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am the real Matt Corallo
My key fingerprint is 0A82 5097 67C7 D4A5 D14D  A230 1AE1 D350 43E0 8E54.

To verify my public key, please send an email to pgp-verify@bluematt.me and you will receive a this signed message in an email.

Once you've verified my identity, please sign my key.

Thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJN2PC+AAoJEBrh01BD4I5U74MP/R7ht5e7oNbZ9xFtJsAt0dU4
UDLwyOHXQ0Xj0aDDnKgP/0GewDReB4qdj26sCzEizVEEDuVu7apXs4Sotqg8ney5
qpo5B6ltMiSZiHB+TInrDInpkxUl51EZ8kBm5YdQNbkqoFjuWuAw7hxae6gVqbxm
5RNtuxKdVzwgybFj1w51u1Ntai/1kJsa7zJeIClZ1ilxB+m5g0mLfolKAXRc5XGs
f/JgWaD+9lT8ZlJjh4poJnwF/lb0+LOdfhxX0RsmaRkGiCXFy2nRp+0rmOO0nfvw
JC5sJ4mgr50H+mNAtVXBuCQ4hpSGXfMDZ7XxGd8mrUHULS3cJAEJ3wxq2hygAs/p
MH1+2aiquqxXepOCWn52HT1zyjsvPolV+5Wy3Ttw9eeX+X78GnqlM/MfuxpB9iig
4FRLqHICsU4J234DHzZthaNxx6b6VkvBtkvKUE6+aWN9/AqrN+GlHirsDF9WSfaK
UNMhlhHq9wg48Ug1M0AY2tI37Wx2/GqnDgrtXHFBryqTFTrFW+OJ/O3TGPv7tu0K
ga5qvEsDg4y70OUAQnUPR7A1LWu6xbDftWJW80RI1YDbJp4vv234q28CXwEVgtu5
mT5DmYOy9ENT5pkVFCeGlfA4L2P5dHAbPKSmUa0SOMwPz1KUOaw5/1YFpSTs0SVS
LTUFghypj4mhM4OZApGU
=ogn9
-----END PGP SIGNATURE-----

[kseistrup]

Matt,

The following two lines were broken in the autoresponse I received:

Code:

My key fingerprint is 0A82 5097 67C7 D4A5 D14D  A230 1AE1 D350 43E0 8E54.

To verify my public key, please send an email to pgp-verify@bluematt.me and you will receive a this signed message in an email.

You might want to introduce hard line breaks in your text before signing it.

Cheers,

[Matt Corallo]

Matt,

The following two lines were broken in the autoresponse I received:

You might want to introduce hard line breaks in your text before signing it.

Cheers,

Good point, sorry I still haven't set up the autoresponse yet, waiting for gitian to finish with its kvm magic so I can use VBox to manage my postfix server, the response was manual... Ill have it working after a while.

[kseistrup]

Good point, sorry I still haven't set up the autoresponse yet, waiting for gitian to finish with its kvm magic so I can use VBox to manage my postfix server, the response was manual... Ill have it working after a while.

Cool.  Meanwhile you can verify mine.   

Cheers,

[Matt Corallo]

Good point, sorry I still haven't set up the autoresponse yet, waiting for gitian to finish with its kvm magic so I can use VBox to manage my postfix server, the response was manual... Ill have it working after a while.

Cool.  Meanwhile you can verify mine.   

Cheers,

Took long enough, but I finally got maildrop to push through sendmail to forward through postfix through the relayhost.

[kseistrup]

To verify my public key, please send an e-mail to kurt dot padilla at gmail dot com with "FF7E7CCD" in the subject and "bitcoin" in the body text. You'll then receive a signed response referring to this post.

I've received a few responses referring to this post, but all of them were unsigned…

Cheers,

[FatherMcGruder]

If this is supposed to happen automagically, it didn't…

Cheers,

The automagic should be working now, I think. Apologies to anyone who got more than one response, or got responses that weren't very good. I'm using Thunderbird, if anyone has any tips on that.

[kseistrup]

To verify my public key, please send an e-mail to kurt dot padilla at gmail dot com with "FF7E7CCD" in the subject and "bitcoin" in the body text. You'll then receive a signed response referring to this post.

I've received a few responses referring to this post, but all of them were unsigned…

I've now received a bunch of signed messages.  The showstopper now is that they've been converted to HTML after signing:

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta http-equiv="content-type" content="text/html;
      charset=ISO-8859-1">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    -----BEGIN PGP SIGNED MESSAGE-----<br>
    Hash: SHA256<br>
    <br>
    Hi,<br>
    <br>
    You've received this message because you followed the instructions
    in this forum post:
    <a class="moz-txt-link-freetext" href="http://forum.bitcoin.org/index.php?topic=9251.msg134453#msg134453">http://forum.bitcoin.org/index.php?topic=9251.msg134453#msg134453</a><br>
    <br>
    In it, I stated that I am Kurt Padilla and that my public key
    fingerprint is 5D67 9B6C 3A35 D9B5 5A76 42F9 D188 DC4D FF7E 7CCD. As
    such, you can verify my identity, or at least that I own both
    <a class="moz-txt-link-abbreviated" href="mailto:kurt{dot}padilla{at}gmail{dot}com">kurt{dot}padilla{at}gmail{dot}com</a> and FatherMcGruder on the Bitcoin.org forums.<br>
    <br>
    Once you do, please sign my key.<br>
    <br>
    Thanks,<br>
    Kurt<br>
    -----BEGIN PGP SIGNATURE-----<br>
    Version: GnuPG v1.4.11 (GNU/Linux)<br>
    <br>
    iF4EAREIAAYFAk3ZGvsACgkQ0YjcTf9+fM3NtAD+LI/2pZ9v1uWRbUoT9XWXfyl7<br>
    6+zR9kSh0hZT0fITD+gA/RfweaUqCwYODY04G+zaNffWaCaCQxEU8JVrlDQbbJbo<br>
    =rgX9<br>
    -----END PGP SIGNATURE-----<br>
  </body>
</html>

Cheers,

[FatherMcGruder]

To verify my public key, please send an e-mail to kurt dot padilla at gmail dot com with "FF7E7CCD" in the subject and "bitcoin" in the body text. You'll then receive a signed response referring to this post.

I've received a few responses referring to this post, but all of them were unsigned…

I've now received a bunch of signed messages.  The showstopper now is that they've been converted to HTML after signing:

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta http-equiv="content-type" content="text/html;
      charset=ISO-8859-1">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    -----BEGIN PGP SIGNED MESSAGE-----<br>
    Hash: SHA256<br>
    <br>
    Hi,<br>
    <br>
    You've received this message because you followed the instructions
    in this forum post:
    <a class="moz-txt-link-freetext" href="http://forum.bitcoin.org/index.php?topic=9251.msg134453#msg134453">http://forum.bitcoin.org/index.php?topic=9251.msg134453#msg134453</a><br>
    <br>
    In it, I stated that I am Kurt Padilla and that my public key
    fingerprint is 5D67 9B6C 3A35 D9B5 5A76 42F9 D188 DC4D FF7E 7CCD. As
    such, you can verify my identity, or at least that I own both
    <a class="moz-txt-link-abbreviated" href="mailto:kurt{dot}padilla{at}gmail{dot}com">kurt{dot}padilla{at}gmail{dot}com</a> and FatherMcGruder on the Bitcoin.org forums.<br>
    <br>
    Once you do, please sign my key.<br>
    <br>
    Thanks,<br>
    Kurt<br>
    -----BEGIN PGP SIGNATURE-----<br>
    Version: GnuPG v1.4.11 (GNU/Linux)<br>
    <br>
    iF4EAREIAAYFAk3ZGvsACgkQ0YjcTf9+fM3NtAD+LI/2pZ9v1uWRbUoT9XWXfyl7<br>
    6+zR9kSh0hZT0fITD+gA/RfweaUqCwYODY04G+zaNffWaCaCQxEU8JVrlDQbbJbo<br>
    =rgX9<br>
    -----END PGP SIGNATURE-----<br>
  </body>
</html>

Cheers,

Ugh. Let me try again... hold on.

[Ian Maxwell]

I'm using Thunderbird, if anyone has any tips on that.

1. Use plain text mode. This is good practice anyway since some people read all email as plain text as a matter of safety. It should be an option in Account Settings, if I remember correctly.

2. Get the Enigmail extension. It's by far the easiest way to encrypt or sign mail in Thunderbird.

[FatherMcGruder]

2. Get the Enigmail extension. It's by far the easiest way to encrypt or sign mail in Thunderbird.

Yes I have Enigmail and it's worked well for signing and encrypting messages for me. However, when Thunderbird replies with a template, it doesn't sign it. When I sign a message in my text editor, and then paste it into a compose window, the PGP bits disappear leaving only the message. Not sure what's going on here. 

[Ryland R. Taylor-Almanza]

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am the real Ryland Taylor-Almanza with public key fingerprint 8092 49F5 295C 9BB6 780E  6B23 F37B 04E9 CB0C 8D51, downloadable from <http://ryland.bit/>.

My key is only self-signed, but you can verify it by doing the following:

 · Send an email to email@rylandtaylor-almanza.com with subject line “F37B04E9CB0C8D51” and body text “GPGverify”.

 · I will respond with a signed message referencing this one.

If you do verify my identity, I ask that you sign my public key afterward.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJN2wjeAAoJEPN7BOnLDI1RTmQH/jTJKJHG+9+AnK01wYbhHP4S
FlaF4mKgdxQgKLzvsMLcwTMgeta39qhj9+x6ooiFuEEo74kQTHFWWkn2qTss2yUG
CEOu1qi8NOJfhRm9c8EZRqd5mLarPIYBqyWRcfpwUftnkwMewfkTH0BubwOUY9UM
j02o5k3xe7YIn4dSyJEPw4lyAsVvUlinNiRtuabPBPtvf3lkr6RK9tQqGKPwRWLG
PLkHspoEA+Xfu38Jwcutx9G9mx75bRDkirEQMXTXmSQzrVCyYSOXBdLSV3n6rAzn
81jpyG3r/jpC3iP9nFhmD2O4FmMus27gRJJGdq5mqxXdjq7NMfGC+21SVnmO51Y=
=Y9s1
-----END PGP SIGNATURE-----

[Ryland R. Taylor-Almanza]

I've signed everyones key here, by the way (Except I'm waiting for a reply from pgp-verify@bluematt.me.)

EDIT: Signed Matt's key.

[kseistrup]

Ryland,

GPG won't verify your signature on the canned response, this is because Gmail breaks long lines.  If you make a hard linebreak between “fingerprint” and  “8092 49F5 […]” you should be cool.

Cheers,

[Ryland R. Taylor-Almanza]

Fixed. Thanks!

[kseistrup]

Fixed. Thanks!

Signed your key…

Cheers,

[FatherMcGruder]

Trying this again with the canned response feature from Google. I even added my own line breaks where necessary. It should work now, but I'm sure I'll find out if it doesn't.

[Jason Keith]

I have a couple of really basic questions. First, I'm no longer sure what it means to "sign" someone else's key. After verifying an email address like Ian's for example and then verifying the signature sent from that address, should I really just copy everything from

-----BEGIN PGP SIGNATURE-----
to
-----END PGP SIGNATURE-----

and sign it the same way I would use my own signature to sign a message of my own? And if I do, what then? How does that indicate my acceptance of the other person's claims?

Second, when I look at my own key in GPA, it says;

The key has both a private and a public part
The key can be used for certification and signing, but not for encryption.

So if it has a public part, why can't it be used for encryption?

[Ian Maxwell]

Jason: What software are you using? If you use the command-line GPG, by default it will generate keys that can be used for encryption. But if you're using Cryptophane for example, by default it generates signature-only keys. Unfortunately I haven't found the perfect Windows GUI frontend for GPG yet.

You need a public and private part for signatures as well as encryption---a private part you use to sign, and a public part others use to verify the signature.

Anyway, if you have my public key, in most software signing it will mean right-clicking it and clicking "Sign". Then at some point you'd re-upload the key to the server, with your signature on it. By doing this you're vouching that that the name and email address attached to the key are accurate. (I haven't actually proven that the name is accurate, but if you really wanted I could try and scan an ID or something.)

[Jason Keith]

Jason: What software are you using? If you use the command-line GPG, by default it will generate keys that can be used for encryption. But if you're using Cryptophane for example, by default it generates signature-only keys. Unfortunately I haven't found the perfect Windows GUI frontend for GPG yet.

I used GPG from the command line on OSX to generate the keys. Since then, I've installed Thunderbird and Enigmail on Ubuntu and I've finally gotten Penango to work with Firefox on OSX.

You need a public and private part for signatures as well as encryption---a private part you use to sign, and a public part others use to verify the signature.

OK, so if it turns out my key can't be used for encryption, should I revoke it and start again or can I edit encryption ability into the keys I have now?

Anyway, if you have my public key, in most software signing it will mean right-clicking it and clicking "Sign". Then at some point you'd re-upload the key to the server, with your signature on it. By doing this you're vouching that that the name and email address attached to the key are accurate.

So I understand how to sign it but how do I upload it to the server?

(I haven't actually proven that the name is accurate, but if you really wanted I could try and scan an ID or something.)

No, you're cool man. What you've done so far is good enough for me if that's what everybody else has been OK with. Thanks for the reply.

[kseistrup]

So I understand how to sign it but how do I upload it to the server?

Code:

$ gpg --keyserver pgp.mit.edu --send-keys 0x12345678

Subsitute 0x12345678 with keyid for actual key you wish to send.
Subsitute pgp.mit.edu with keyserver you wish to use.  Other possibilities are e.g.:

• subkeys.pgp.net
• pool.sks-keyservers.net
• keys.gnupg.net
• pgp.surfnet.nl

Cheers,

[kseistrup]

By [signing someone's public key this way] you're vouching that that the name and email address attached to the key are accurate. (I haven't actually proven that the name is accurate, but if you really wanted I could try and scan an ID or something.)

Some nerds at IRL keysigning parties demand that you show photo id (e.g., passport or driver's license).  IMHO that means that they're verifying the person's identity.  However, for me person != email address, so I'm happy to know that the key is associated with the email address it claims to represent.  This is what we're doing here.

Cheers,

[kseistrup]

P.S.: Jason, once you're ready, please tell us how we can verify your key…

[Jason Keith]

Sure. Thanks for the help guys. Penango on Firefox seems to be missing some features and Ian is right when he says the easiest way to use Enigmail with TB. I signed his key and uploaded it to a server as I will with others' here.

[Jason Keith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm Jason Keith. One of many it seems and although you won't find me on the first couple of
pages of a Google search, you can reach me at jasonkeith@gmail.com. My fingerprint is
E936 B8CB 8537 02A1 144E  FFB0 BBF5 676B 15DD FC58 Send me an email with
15DDFC58 and Bitcoin in the subject and I'll get back to you.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJN4ojuAAoJELv1Z2sV3fxYDwQP/2jwS3bBv0+wvP68EK5zXwvK
g9kjBBmkDBbl48unsUGOShzQcfB/Tt724BiBe8AXAHrYBpFO+SCIpQ7h5emncJXP
fg74ux231lrnq+fq0xkTL0mjj04yXUEg8vVjIvKyXE0nw4cR3PY0cibiwzZWS0pP
9iR6gQZGJtvn9nIQJIqW/LTkUGRXRoEDZByqllLM3icWHhX3E8ilrw9MtsLqQtJW
4Zye5vpJlBcPMStIknikZ9OShW/h3H/9exVjZxpo0ZJiTv57mCWWvx4UBnVzVyAT
bJV7aNQjkUvneMNTaxwH5tQfbDkwGkEpKt8iFza2yBPzhIovFAU6ePim0qnPop4m
W43JqfA/QlIQM8FjH2BtBegT7/7rI3Eg97fNLYbW0qxDs57HZZlHtyF4fJZh7Yed
R4bRHJS7iXrX/YIoDiWO+giamc1ZjABOI0GFoHUmtPxOcBXVR3ITkthiy6SjqESW
ACunjQYKI1MeWjtYSqZjbFxUahkJArWd3Hjph3OAiQMscw59cQV0P5NXKNQWrxaL
k96PNuhOin/qRKXWXN9NNqXlRNfqZCNAXVlijgZGkI4Sewh++BIma+e0LIfahzYo
yd+TmXE3rzFFrF6Vv016mcpf2d3ZyWoAYgrAc8zuTb/WOTiDsj7TqJSEpmoC/rZY
MzQ+pegx7DBdhUmT7fvo
=/+pd
-----END PGP SIGNATURE-----

[kseistrup]

[…] and I'll get back to you.

Tip:  You can set up a canned response so that a signed email pointing to e.g. your instruction message in this thread is returned automagically to those who send en email with this in the subject and that in the body.

Cheers,

[Jason Keith]

Thanks Klaus. I realised that just as I looked back over what everybody else in the thread seems to have done.
It's 3:30 in the morning here now and I'm gonna get some sleep before I come back and make a bigger fool of myself. Thanks again for the help all.
BTW Klaus, I verified and signed your key as well. I"ll get around to everybody else tomorrow.

[kseistrup]

It's 3:30 in the morning here now and I'm gonna get some sleep before I come back and make a bigger fool of myself.

Hehe, sleep well. 

BTW Klaus, I verified and signed your key as well. I"ll get around to everybody else tomorrow.

Thanks, Jason.  Did you upload it as well?  I can't seem to find the key with your signature on it…

Cheers,

[Ryland R. Taylor-Almanza]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm Jason Keith. One of many it seems and although you won't find me on the first couple of
pages of a Google search, you can reach me at jasonkeith@gmail.com. My fingerprint is
E936 B8CB 8537 02A1 144E  FFB0 BBF5 676B 15DD FC58 Send me an email with
15DDFC58 and Bitcoin in the subject and I'll get back to you.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJN4ojuAAoJELv1Z2sV3fxYDwQP/2jwS3bBv0+wvP68EK5zXwvK
g9kjBBmkDBbl48unsUGOShzQcfB/Tt724BiBe8AXAHrYBpFO+SCIpQ7h5emncJXP
fg74ux231lrnq+fq0xkTL0mjj04yXUEg8vVjIvKyXE0nw4cR3PY0cibiwzZWS0pP
9iR6gQZGJtvn9nIQJIqW/LTkUGRXRoEDZByqllLM3icWHhX3E8ilrw9MtsLqQtJW
4Zye5vpJlBcPMStIknikZ9OShW/h3H/9exVjZxpo0ZJiTv57mCWWvx4UBnVzVyAT
bJV7aNQjkUvneMNTaxwH5tQfbDkwGkEpKt8iFza2yBPzhIovFAU6ePim0qnPop4m
W43JqfA/QlIQM8FjH2BtBegT7/7rI3Eg97fNLYbW0qxDs57HZZlHtyF4fJZh7Yed
R4bRHJS7iXrX/YIoDiWO+giamc1ZjABOI0GFoHUmtPxOcBXVR3ITkthiy6SjqESW
ACunjQYKI1MeWjtYSqZjbFxUahkJArWd3Hjph3OAiQMscw59cQV0P5NXKNQWrxaL
k96PNuhOin/qRKXWXN9NNqXlRNfqZCNAXVlijgZGkI4Sewh++BIma+e0LIfahzYo
yd+TmXE3rzFFrF6Vv016mcpf2d3ZyWoAYgrAc8zuTb/WOTiDsj7TqJSEpmoC/rZY
MzQ+pegx7DBdhUmT7fvo
=/+pd
-----END PGP SIGNATURE-----

I signed it for you. Care to sign mine? http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF37B04E9CB0C8D51
Let me know if you need help.

[Ryland R. Taylor-Almanza]

Trying this again with the canned response feature from Google. I even added my own line breaks where necessary. It should work now, but I'm sure I'll find out if it doesn't.

Still no auto response for me.

[billyjoeallen]

I want to get a key pair, but I'm a cryptonoob. could you please point me somewhere to get started? It took me two days to get truecrypt and TOR up and running. tnx.

[Jason Keith]

Thanks, Jason.  Did you upload it as well?  I can't seem to find the key with your signature on it…

Sorry Klaus. I must have been thinking I'd done that from within Enigmail last night. I've been trying to look for a way to do that from within GPA or Enigmail but I suppose I have to use the CLI. I guess I haven't uploaded Ian's key to the server either in that case so I'll do it now.

[kgo]

I want to get a key pair, but I'm a cryptonoob. could you please point me somewhere to get started? It took me two days to get truecrypt and TOR up and running. tnx.

I'd start with either the GNU Privacy Handbook or the Enigmail Handbook.  If you're really new to all this and don't like the command line, I'd recommend getting enigmail working first, and then reading the GNU Privacy Handbook to understand some more comments.

http://www.gnupg.org/gph/en/manual.html

http://enigmail.mozdev.org/documentation/handbook.php.html

[kgo]

Everyone needs to define their own trust/threat model, so I'm not saying anyone is doing anything wrong here here, but I wouldn't sign someone's key without getting the fingerprint in person (or at least on skype after a history of back-and-forth signed emails.)

I do, however, have the PGP Global Directory signed locally on my setup.  So anyone who gets their key verified on PGP Global Directory shows up as valid to me.  This basically provides the same key/email validation without me (or you) having to vouch for someone else's identity publicly:

https://keyserver.pgp.com/vkd/GetWelcomeScreen.event

People might want to take a look at that and sign up.

And while I've got the attention of a bunch of people interested in OpenPGP, I'm still selling a Hardware OpenPGP smartcard/token combo for 9 BTC:

http://forum.bitcoin.org/index.php?topic=9582.0

[kseistrup]

I wouldn't sign someone's key without getting the fingerprint in person (or at least on skype after a history of back-and-forth signed emails.)

I do, however, have the PGP Global Directory signed locally on my setup.  So anyone who gets their key verified on PGP Global Directory shows up as valid to me.

Perhaps I'm missing something, but how is the verification by the PGP Global Directory different from what we're doing here?

At the Global Directory I uploaded my key, then received an email with a confirmation link in it.  Once I clicked the link, my key was signed.  I have shown that I have access to the email account mentioned in the key.

Here we post a signed message with instructions (and key fingerprint).  The potential verifier receives a signed message back that points to the first signed message.  I have not only shown that I have access to the email account mentioned in the key, but also that I have access to the key.  It would seem to me that this method is a tad better at verifying that the email address and the key goes together.

Have I missed anything?

Cheers,

[kseistrup]

I want to get a key pair, but I'm a cryptonoob. could you please point me somewhere to get started? It took me two days to get truecrypt and TOR up and running. tnx.

Please see the GPG Quick Start.  Comes in more than one flavour.

Cheers,

[kgo]

I wouldn't sign someone's key without getting the fingerprint in person (or at least on skype after a history of back-and-forth signed emails.)

I do, however, have the PGP Global Directory signed locally on my setup.  So anyone who gets their key verified on PGP Global Directory shows up as valid to me.

Perhaps I'm missing something, but how is the verification by the PGP Global Directory different from what we're doing here?

At the Global Directory I uploaded my key, then received an email with a confirmation link in it.  Once I clicked the link, my key was signed.  I have shown that I have access to the email account mentioned in the key.

Here we post a signed message with instructions (and key fingerprint).  The potential verifier receives a signed message back that points to the first signed message.  I have not only shown that I have access to the email account mentioned in the key, but also that I have access to the key.  It would seem to me that this method is a tad better at verifying that the email address and the key goes together.

Have I missed anything?

Cheers,

Yep, the authentication is basically the same.  The differences are more social:

(1) It's all centralized to the PGP Global Directory key.  If I trust that, I'll trust your sig whether I know you or not.  Whether I'm involved in bitcoin or not.  You get thousands of people to automatically assume your sig is valid, rather than one at a time.  You don't need a hundred page thread here on bitcoin.org that someone needs to go through one-by-one, sending emails to dozens or hundreds of users.

(2) I don't need to publish a 'voucher' to your identity anywhere.  This is what OpenPGP calls 'trust'

So OpenPGP has two inter-related concepts: validity and trust.  Validity means that the key has been authenticated somehow.  Trust indicates that you trust this person to generate signatures correctly, by whatever your standard of correctness is.

With these two elements in place, the Web-of-Trust kicks in.  It starts with keys that you have explicitly flagged as valid.  Then based on the trust you've assigned to these keys (run 'gpg --update-trustdb' if you haven't already), it determines that several keys they've signed are valid.  It repeats this for five layers, and that's all the keys where you can validate messages without seeing that "WARNING!!! Untrusted ...." error.

People who are really into the Web-of-trust think the proper way to sign a key is to verify the fingerprint in person (or on the phone/skype if you recognize their voice) and provide photo id to establish a real-world person's identity.  Like I said, everyone needs to define their own trust model, so it's not wrong to sign keys like people are doing here.  But it may cause someone else who validates your key to mark your key as valid, but untrusted to issue signatures, which excludes you from their web of trust calculations.

One way around this is to issue local signatures.  Local signatures work just the same as normal signatures, but the CANNOT be exported to keyservers.

I'm pretty confident that Ian's key is good.  I run:

gpg --lsign <<IANS_KEY_ID>>

And flag him as perhaps MODERATELY trusted.  Now his signatures factor into my trust calculations, but I'm not making any representations to the outside world, since I haven't done 'proper' authentication.

This is fine, but gets to be a pain if you use multiple computers, or need to re-create your keyring, since this signature doesn't live on the keyservers.

[Ryland R. Taylor-Almanza]

mines on the pgp global directory now.

[Ryland R. Taylor-Almanza]

We going to let this die? This is now a game to me, and I don't want to stop playing.

[kseistrup]

Perhaps all the people who want in on this are alrady in? 

[The Script]

Not quite.  I want in, I'm still trying to figure out what the hell I'm doing.  I'm reading through the GNUPG Quick Start but even that is like trying to read another language.  I just learned about PGP a few days ago and am still trying to figure out the procedures.  So far I've created a key in Ubuntu using the "Passwords and Encryption Keys" program which I believe is part of the Seahorse front end package for GNUPG.  So now, how do I use this to encrypt emails, sign other people's keys, etc?  Also, where are these alleged online key directories?  I can't find them.    Help me and I will sign all your keys.

[The Script]

Ok, I found Jason Keith in the PGP directory and added his key to my key ring.  Hmmm.  Progress.

[FatherMcGruder]

Not quite.  I want in, I'm still trying to figure out what the hell I'm doing.  I'm reading through the GNUPG Quick Start but even that is like trying to read another language.  I just learned about PGP a few days ago and am still trying to figure out the procedures.  So far I've created a key in Ubuntu using the "Passwords and Encryption Keys" program which I believe is part of the Seahorse front end package for GNUPG.  So now, how do I use this to encrypt emails, sign other people's keys, etc?  Also, where are these alleged online key directories?  I can't find them.    Help me and I will sign all your keys.

Make sure you have "Decrypt File" installed and restart Ubuntu.

[The Script]

Thanks.  Sent you an email.

[The Script]

Code:

-----BEGIN PGP SIGNED MESSAGE----

I am Samuel Vanderwaal, and my key's fingerprint is 70F3 0E0D 3ABC 21BC 7E07 A8BB 7A22 FC9F 1A88 AC11.  
Send me an email with 1A88AC11 in the subject and bitcoin in the body and I will reply with an signed email.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBE3m/s4BCAC/IcTbreSpZgYBtTAbAYuxzNGSvMTgCzNkUPyY5t/+YVEywNu0
EY9o2rFtsh3f8G/c+kJj/dgg4o2kidIMjGMqeWxjBAzHllDDPai/w2o9WWEgJ9ca
X6s66+uc2ChuOzWz16aSmsGw//qQhzRYoxThT6VyM5E0kq4dGzLQC+qtT8X+iMjc
Sxf82mMOBvFZEXdc+ECA8THrcYpNadnNF66XkXrE4I+QgAo/W8isbi7O71jRIVz1
LFinEpNCcQz6hCJLGnXlE/mwTtiKRRmMwjT8yanDM7Y+EmOMnq5dS3/facwiCRMh
/ttDhjS4RapRgFo5usdcRcdVECVOBoc9GDW/ABEBAAG0L1NhbXVlbCBWYW5kZXJ3
YWFsIDxzYW11ZWwudmFuZGVyd2FhbEBnbWFpbC5jb20+iQE4BBMBAgAiBQJN5v7O
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB6IvyfGoisEUAJB/4u9WVW
zBrWKcYeVRlZfXEbvYpx02ZW0jQ/LC5q6Rf495xmQ02XzKOka+PcLzn8z786sxJa
AKViFgCBrXOCodt+QE/FHgZTC6v2gAilYcX7OxJPYcEUgdAhVCCmTJHXZOR/Slgj
GSWPq9rGmhkcMADmla3Vm5yq5SfhqDnLXMkHlGaYSlCrT38l9xYy47edQc9+PG12
+f4dzrBpeGyV8C+TgQRRU/dkuvEzDi6bYuTU/+GSZ/SNPk0LZ6F4P3jcx2P2i8ZR
Eb1lkHcd0N1naTKXSFwTnoInfcNv8JVl+S/p3Uvm5NICqFDUmY4D8b6iPOmAwOJT
n1GIVn35sxQHcLcnuQENBE3m/s4BCADXiJNDumql5oMTdMnfviGOac5GfRfdjib5
80ywbmgf4I1qxsyJocPy0QxrXJjKguOG5zgnil4Hcd86ZVjddYZLTwx16y0YhqAc
ZAwXtjyEDlOn1F2Lx6j7md0QVUAdPfUkJPULtHsEyCkJut9QH9A8eNg0NarnSKza
Hkqb0v1DTZBuL30Y9a7oHOZhRbWEmL/UvdyK5SAhL1sd/dU1xcTfOX/X9f2MDYH+
gdbS94RvDJxnyTS8LJJNIeOsk3ttmWMMIofRlAhs+yLIn2xy5PBsfC4yKGU/Txg9
8z3BsY3ma3sDXvpijKqdVl4516sxwxjhjTMbz9yliw4y3aZZPvc5ABEBAAGJAR8E
GAECAAkFAk3m/s4CGwwACgkQeiL8nxqIrBHlrgf+PApbsyOAdLsTEwfOHQXK8Qo7
RUyIHo2j6Ly+uGmg0OYV0uFrUrwq2uEYJWw41Lpz4p54TzFTcwvW8fBmrD4p+t0k
DeDwCmgsFOoeMokl7iLgMoWhfav5IO6qXHbbJERvv9hH+nyZLVDXrR6Bb1aUizuV
STw2NXnPB8As0X8yWLGN/fDl+pQKhqCAv8hSD/bwuBxkI2u9ZVKo7XYnnlMiYyCK
lx8uRtI6QN15ivlVuWz50hA4ZRk52hN3hErjxOgIatBQ7kvyk5cLKfA8G6UniiR4
N0F5iwHEmXiLUSZ2xfniyBaFgZYdelTaTUuRwxry7mudLd6EivjLgEpCdPHjmQ==
=6C/v
-----END PGP PUBLIC KEY BLOCK-----

[The Script]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You can trust bitcoin.org to verify that I am the real theymos, and maybe you can trust me when I say that my real name is Michael Marquardt.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAk3YczIACgkQxlVWk9q1kecdaAD5AYDNdk1CqQignw0VfcffQtNv
k8d4bAf98vfcKvKGP0oA/3iPaObiKtw984EhqbKVM7Rljc40qKvaLvIEs6emkCWA
=ld+O
-----END PGP SIGNATURE-----

Public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC6555693DAB591E7

What is the difference between a PGP signature and a PGP Public key?  Is the signature a hash of the public key?  Also, why is Theymos' so damn long?  Different hash type? 

[theymos]

What is the difference between a PGP signature and a PGP Public key?  Is the signature a hash of the public key?  Also, why is Theymos' so damn long?  Different hash type? 

A signature verifies some data. That signature verifies that the text between "BEGIN PGP SIGNED MESSAGE" and "BEGIN PGP SIGNATURE" was actually written by me.

To verify my signature, you need my public key. If you want to send me an encrypted message, you also encrypt it to my public key.

That public key is long because it has lots of signatures. It's smaller if you remove the signatures:
http://theymos.com/theymos.txt
(This is the exact same public key.)

[kseistrup]

Code:

-----BEGIN PGP SIGNED MESSAGE----

I am Samuel Vanderwaal, and my key's fingerprint is 70F3 0E0D 3ABC 21BC 7E07 A8BB 7A22 FC9F 1A88 AC11.  
Send me an email with 1A88AC11 in the subject and bitcoin in the body and I will reply with an signed email.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBE3m/s4BCAC/IcTbreSpZgYBtTAbAYuxzNGSvMTgCzNkUPyY5t/+YVEywNu0
EY9o2rFtsh3f8G/c+kJj/dgg4o2kidIMjGMqeWxjBAzHllDDPai/w2o9WWEgJ9ca
X6s66+uc2ChuOzWz16aSmsGw//qQhzRYoxThT6VyM5E0kq4dGzLQC+qtT8X+iMjc
Sxf82mMOBvFZEXdc+ECA8THrcYpNadnNF66XkXrE4I+QgAo/W8isbi7O71jRIVz1
LFinEpNCcQz6hCJLGnXlE/mwTtiKRRmMwjT8yanDM7Y+EmOMnq5dS3/facwiCRMh
/ttDhjS4RapRgFo5usdcRcdVECVOBoc9GDW/ABEBAAG0L1NhbXVlbCBWYW5kZXJ3
YWFsIDxzYW11ZWwudmFuZGVyd2FhbEBnbWFpbC5jb20+iQE4BBMBAgAiBQJN5v7O
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB6IvyfGoisEUAJB/4u9WVW
zBrWKcYeVRlZfXEbvYpx02ZW0jQ/LC5q6Rf495xmQ02XzKOka+PcLzn8z786sxJa
AKViFgCBrXOCodt+QE/FHgZTC6v2gAilYcX7OxJPYcEUgdAhVCCmTJHXZOR/Slgj
GSWPq9rGmhkcMADmla3Vm5yq5SfhqDnLXMkHlGaYSlCrT38l9xYy47edQc9+PG12
+f4dzrBpeGyV8C+TgQRRU/dkuvEzDi6bYuTU/+GSZ/SNPk0LZ6F4P3jcx2P2i8ZR
Eb1lkHcd0N1naTKXSFwTnoInfcNv8JVl+S/p3Uvm5NICqFDUmY4D8b6iPOmAwOJT
n1GIVn35sxQHcLcnuQENBE3m/s4BCADXiJNDumql5oMTdMnfviGOac5GfRfdjib5
80ywbmgf4I1qxsyJocPy0QxrXJjKguOG5zgnil4Hcd86ZVjddYZLTwx16y0YhqAc
ZAwXtjyEDlOn1F2Lx6j7md0QVUAdPfUkJPULtHsEyCkJut9QH9A8eNg0NarnSKza
Hkqb0v1DTZBuL30Y9a7oHOZhRbWEmL/UvdyK5SAhL1sd/dU1xcTfOX/X9f2MDYH+
gdbS94RvDJxnyTS8LJJNIeOsk3ttmWMMIofRlAhs+yLIn2xy5PBsfC4yKGU/Txg9
8z3BsY3ma3sDXvpijKqdVl4516sxwxjhjTMbz9yliw4y3aZZPvc5ABEBAAGJAR8E
GAECAAkFAk3m/s4CGwwACgkQeiL8nxqIrBHlrgf+PApbsyOAdLsTEwfOHQXK8Qo7
RUyIHo2j6Ly+uGmg0OYV0uFrUrwq2uEYJWw41Lpz4p54TzFTcwvW8fBmrD4p+t0k
DeDwCmgsFOoeMokl7iLgMoWhfav5IO6qXHbbJERvv9hH+nyZLVDXrR6Bb1aUizuV
STw2NXnPB8As0X8yWLGN/fDl+pQKhqCAv8hSD/bwuBxkI2u9ZVKo7XYnnlMiYyCK
lx8uRtI6QN15ivlVuWz50hA4ZRk52hN3hErjxOgIatBQ7kvyk5cLKfA8G6UniiR4
N0F5iwHEmXiLUSZ2xfniyBaFgZYdelTaTUuRwxry7mudLd6EivjLgEpCdPHjmQ==
=6C/v
-----END PGP PUBLIC KEY BLOCK-----

It seems to me that you're missing something here.  Shouldn't there be both end-of-key and end-of-message?

Cheers,