Key signing party at event?

[adamcik]

Wouldn't need to be an official part of the program, but for those of use wanting to get some more signatures from people in Zurich / Switzerland this would be a nice addition :-)

[dbrgn]

Yeah, why not.

[dbrgn]

@adamcik would you like to organize a key signing? then we could try to put it in the program somehow :) most probably after the talks.

[The-Compiler]

Sounds like a great idea to me, I'm always in for singing signing some keys! :+1:

[adamcik]

I need to double check my schedule, I think I can attend, and if so I can probably help organize this bit. Try and get back to you by Monday about this.

[adamcik]

Ok, I finally got things confirmed and signed up (assuming I got a spot). I've skimmed over how FOSDEM does their parties, and looked for some suggestions on how to do these. And I think given the number of participants just doing http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#traditional is probably more than good enough.

So just doing the informal approach, so all we really need to do is provide a time and a place and maybe a very simple checklist of what to bring.

• [ ] Official picture ID
• [ ] Printout / handouts for you key info (gpg-key2ps, http://openpgp.quelltextlich.at/slip.html or http://keysheet.net/)
• [ ] No computers

Alternative would be to mail keys to info@ or keysigning@ and have a coordinator sign and publish the submitted keys. But to be honest I think we should just keep this really simple.

[dbrgn]

Agree about doing the simple version :)

[dbrgn]

When should we do this? Would it make sense to do the key signing as part of / during the social event? 15-20 minutes would probably be enough.

@adamcik do you want us to put up any information on the website and/or in the info e-mail before the conference (#60)?

[adamcik]

During the social bit sounds fine. As for what to bring, I think disallowing laptops probably isn't needed. I've previously seen small signing parties work quite well with just listing your key with fingerprint on the laptop and people taking pictures with their phones.

So perhaps just put some thing like:

There will be a small signing party during the social event. So if you want to get more signatures for your GPG key be sure to bring a suitable form of identification and the fingerprint of your key. For instance a printout from keysheet.net or just bring a laptop with the key.

[dbrgn]

I think if people just bring paper it's going to be easier and quicker to do it. There was a keysigning at EuroPython Berlin where a lot of people brought their laptops and phones (I think @adamcik was there too). It took a while until everyone was done, especially when people were trying to take pictures of a reflective screen with low-quality smartphones...

What we could do instead during the day is a "print your fingerprint sheet" service.

[dbrgn]

@href do you have time to put the key signing info onto the website?

[href]

Sure, but I'm not quite clear on how this is going to happen yet? I have never attended a signing party. I need to know:

• Why we have one
• Who it is for
• How it is actually conducted
  • Is there someone guiding people through it?
  • What do you do during the signing party?
  • Do you need to do anything after (sign the key at home)?
• Where it is at (I know at the party, but is there a table or something?)

These are somewhat dumb questions, but it would actually help if someone more experienced could answer them, as I also have to explain the whole thing during the final presentation. So if someone could do a write up I'm happy to put this online.

[dbrgn]

@adamcik you can probably best answer these questions :)

[adamcik]

So here goes:

Why we have one

To expand the web of trust. This allows more people in the local tech community to communicate securely. This will also help build trust paths to software projects such as Python itself allowing for better verification of releases.

Who is it for

Any one with an interest in expanding their web of trust with additional signatures.

How it is actually conducted

Before the conference print out your fingerprint using for instance http://keysheet.net and be sure you have a suitable form of identification with you (typically a national ID card, passport or a drivers-license).

During the aperitif we'll put up a poster, where anyone interested in getting more signatures can gather around. Typically you'll get the fingerprint printout from the other person and give them yours, then you check IDs and then make a note on the fingerprint slip that you've verified it. At the end of the event you should have a collection of these to process at home.

After the event you download the keys of a keyserver, verify the fingerprints you've collected and sign each of the keys. Now you can upload the signature, or if the other party requested it return it to them via encrypted mail (see https://wiki.debian.org/caff for automating this).

For more info see https://wiki.debian.org/Keysigning and the documents linked off that page.

[href]

Thank you! I took your information and put it on the website: http://www.python-summit.ch/pages/program.html. Do let me know if I need to change anything.

[adamcik]

Since I suggested we have sign to gather around I've grabbed the logo and whipped up something very basic (didn't see any "template", so this is loosely inspired by the main poster). I'll print a few copies on A3 and A4 to bring along and we can see what works.

keysigning.pdf

[dbrgn]

Great, thanks a lot!

[href]

Cool! There seems to be an eye missing on the snake :)

[adamcik]

Seems inkscape didn't open the source file correctly and I lost it. This version should have the eye back after som fixing keysigning.pdf

[dbrgn]

@adamcik if you want I can also print 2-3 copies on A3 tomorrow at HSR.

[adamcik]

That's probably easier than me getting then there in a nice state. Just in case I did however print some A4 ones just to have something.

[dbrgn]

Alright :)

[adamcik]

One last followup on this. Had the printout on one of the tables and hung around for while before I had to go home. One other guy was prepared, and also talked to an other participant, which had a key but didn't bring any thing. Was never expecting many people to be a part of this so not really a surprise :-)

Anyway, I would say that it would not make sense for you as organizers to spend much time on this for future conferences. But if someone volunteers and the effort on your part is just adding a note on the program / website then why not.

Thanks for organizing this and looking forward to see how this conference grows over the coming years :-)

[dbrgn]

Hey @adamcik, thanks for organizing this. I was actually asked by 2 or 3 people (later on, probably around 19:00) where the key signing would take place. I guess everybody was just too disorganized to be at the correct place at the right time :)

But I also agree that key signing and the web of trust is not something that really took off in the last 20 years. So it probably won't in the future. Approaches like https://keybase.io/ might be more feasible. You can track me at https://keybase.io/dbrgn :)

[adamcik]

Good to hear there were at least a few more interested and that we were just a bit to disorganized. As for keybase.io this does seem very interesting for casual acquaintances, and we can always keep the old way of doing things for projects like Debian etc :-)