Keysigning
The annual keysigning event at FOSDEM 2016 is one of the largest of its kind. With more than one hundred participants every year, it is an excellent opportunity to strengthen the web of trust. We use a slightly modified version of the Zimmermann-Sassaman key-signing protocol relying on a key submission server rather than email to collect keys.
Before the event
Submit your keys
The submission deadline has passed.
If you intend to participate in the PGP keysigning event at
FOSDEM 2016, you must submit the keys you would like to have
signed to the keyserver listening on ksp.fosdem.org
. If you
are using GnuPG, this can easily be accomplished with:
gpg --keyserver ksp.fosdem.org --send-key [keyid]
If you have multiple keys, try to (re)submit them together. Since the list is sorted by (re)submission time, this will group your keys on the list, saving everyone a lot of browsing forward and backward through the list.
You may want to verify that your submission made it to the keyserver by checking the list of submitted keys at https://ksp.fosdem.org/.
The deadline for submissions is Sunday, 24 January 2016. After this date, the keyserver will no longer accept submissions and the official keylist will be published.
Download the list of participants
If you are participating in the keysigning event (i.e.: you have submitted your key to the keyserver), you should download the final list of participants and follow its instructions closely.
The final list of participants is available from https://ksp.fosdem.org/files/.
If there is a trust-path between you and the author, you should verify the list's detached signature using:
gpg --verify ksp-fosdem2016.txt.sig ksp-fosdem2016.txt
Besides the official list, ksp-fosdem2016.txt
, we also provide
non-authoritative files that may make your life easier. It is up to you, the
participant, to verify that these files actually contain the same information
than the official list: e.g. for the keyring.gpg
file,
you could run the keylist.txt.sh
script and verify that
the output similar enough to the official list. Note that different
GnuPG version may output slightly different output. In particular,
GnuPG older than version 2.1 uses
a different key format.
The key signing event itself
The keysigning event takes place on Sunday, at 14:00, in the corridor on the second level of the U building. There is no fixed end time. Previous editions last for approximately one hour per 100 keys on the list. To participate, you should have submitted your keys before the deadline. Please bring the printed list, a pen and appropriate form of identification with you to FOSDEM 2016. Note that it is not possible to print the list at the conference.
You may find it useful to make a badge stating the number(s) of your key(s) on this list and the fact that you verified the fingerprints of your own key(s). Also provide a place to mark that your hashes match. Be on time to actually verify the hashes as they are announced! e.g.
I am number 001 My key-id & fingerprint: ☑ The hashes: ☐
To avoid descending into chaos, the organiser will line up the participants in the order of the list.
1 - 2 - 3 - 4 - 5 - 6 - 7 - 8
Next, this line folds onto itself, so everyone is facing another participant.
1 - 2 - 3 - 4 8 - 7 - 6 - 5
After the participants have verified each other's identity, the whole line moves one step to their right. Participants on the end of the line move to the opposite line. That way, everyone should be facing the next person on their list (modulo no-shows).
2 - 3 - 4 - 5 1 - 8 - 7 - 6
2 - 3 - 4 - 5 1 - 8 - 7 - 6
After the event
Please complete your signing homework before Saturday, 30 April 2016, and send your key signatures to the verified key owners, or upload them to a well-connected keyserver. You may find caff a helpful tool.