[FOSDEM] key question still slightly unclear

John Seifarth john at waw.be
Fri Feb 23 18:27:18 CET 2007 

I asked:


> 3) If I add another email address to my identity (I only have one on
> it now), is the key as signed at the keysigning automatically valid
> for that address (or is my question already showing my lack of
> understanding)?

Wouter replied:
>> That will depend on the participants; some people will sign your new
>> UID, others won't. It may help if you communicate that you have a new
>> UID on your key at the signing party.

Geert said:
>> When signing a key, GPG will ask whether you want to sign all  
>> email adresses.
>> Some people won't say `Y' if your new email address is not on the  
>> list.


And I'm confused. I really don't understand the mechanics of the  
keysigning system. You have a series of private keys, they will be  
collectively validated by a md5 and a sha1 checksum. How does my  
individual key get signed? Do I have to upload it on the server (see  
below) beforehand, or so the keysigners have a copy of the key I  
uploaded to FOSDEM? I was thinking more along the line of adding an  
email address AFTER the keysigning party. Is that email address (is  
that considered as the ID) covered by the current keysigning, or  
should I worry about that at next year's keysigning? Do I have to  
sign other peoples' keys?

So my next question:

> 4) What is the best way to disseminate my public key, and to get  
> the public
> keys of my correspondants? I understand there are key servers  
> somewhere, can
> someone explain how this works?

Geert replies:

>> gpg --recv-key --keyserver pgp.mit.edu <id>
>> gpg --send-key --keyserver pgp.mit.edu <id>
>>
>> You can also put the keyserver in your ~/.gnupg/options.
>

And Wouter says:
>> Make sure the following line is found in your ~/.gnupg/gpg.conf:
>>
>> keyserver hkp://subkeys.pgp.net
>>
>> Then, you can search for keys with
>>
>> gpg --recv-key <data>
>>
>> where you replace <data> with either the mail address or the key  
>> ID of
>> your correspondent.
>>
>> After signing the key, please do not randomly upload them; you should
>> also attempt to verify that the email address of the key you  
>> signed is
>> valid. An easy way to do that is to encrypt and mail the key to  
>> the key
>> owner; the 'caff' script can help you with this. You can find caff in
>> the Debian package 'signing-party'; it's a perl script.
>

I found these lines in my gpg.conf file:

keyserver hkp://subkeys.pgp.net
#keyserver mailto:pgp-public-keys at keys.nl.pgp.net
#keyserver ldap://keyserver.pgp.com

Should I have multiple key servers? Should I put pgp.mit.edu in as  
well? Does it use the hkp:// protocol as well?

Does the existence of this line in the config file mean that my key  
has automatically already been uploaded, or do I need to run a command?

Do I need to do anything to update the key on the server before or  
after the keysigning?


Wouter also added:
>> I'll be sure to repeat this at the beginning of the signing party on
>> sunday.

So Wouter, sorry to bother you beforehand, But I like to be prepared,  
as my Scoutmasters always told me!

Thanks,

John


John Seifarth
Words & Wires SPRL
Computer Consulting & Language Services
rue Valduc 266
1160 Brussels, Belgium
Voice: + 32-2-660-3943
GSM: +32 478 42 45 20
Fax: + 32-2-675-3922
john at waw.be

The content of all messages is the sole responsibility of the author.
More information about the FOSDEM mailing list