Brussels / 1 & 2 February 2020

schedule

Keysigning

The annual keysigning event at FOSDEM 2020 is one of the largest of its kind. With more than one hundred participants every year, it is an excellent opportunity to strengthen the web of trust. We use a slightly modified version of the Zimmermann-Sassaman key-signing protocol relying on a key submission server rather than email to collect keys.

Before the event

Submit your keys

The submission deadline has passed.

If you intend to participate in the PGP keysigning event at FOSDEM 2020, you must submit the keys you would like to have signed to the keyserver listening on ksp.fosdem.org. If you are using GnuPG, this can easily be accomplished with:

gpg --keyserver ksp.fosdem.org --send-key [keyid]

If you have multiple keys, try to (re)submit them together. Since the list is sorted by (re)submission time, this will group your keys on the list, saving everyone a lot of browsing forward and backward through the list.

Keep in mind that PGP keys using the DSA-1024 algorithm are no longer accepted by GnuPG web-of-trust: Please upgrade your PGP key before submission, if it relies on this algorithm.

You may want to verify that your submission made it to the keyserver by checking the list of submitted keys at https://ksp.fosdem.org/.

The deadline for submissions is Wednesday, 22 January 2020. After this date, the keyserver will no longer accept submissions and the official keylist will be published.

Download the list of participants

If you are participating in the keysigning event (i.e.: you have submitted your key to the keyserver), you should download the final list of participants and follow its instructions closely. Said instructions are at the beginning of the file.

The final list of participants is available from https://ksp.fosdem.org/files/.

If there is a trust-path between you and the author, you should verify the list's detached signature using:

gpg --verify ksp-fosdem2020.txt.asc ksp-fosdem2020.txt

Besides the official list, ksp-fosdem2020.txt, we also provide non-authoritative files that may make your life easier. It is up to you, the participant, to verify that these files actually contain the same information than the official list: e.g. for the keyring.gpg file, you could run the keylist.txt.sh script and verify that the output similar enough to the official list. Note that different GnuPG version may output slightly different output. In particular, GnuPG older than version 2.1 uses a different key format.

The key signing event itself

The keysigning event takes place on Sunday, at 14:00, in the corridor on the second level of the U building. There is no fixed end time. Previous editions last for approximately one hour per 100 keys on the list. To participate, you should have submitted your keys before the deadline. Please bring the printed list, a pen and appropriate form of identification with you to FOSDEM 2020. Note that it is not possible to print the list at the conference.

You may find it useful to make a badge stating the number(s) of your key(s) on this list and the fact that you verified the fingerprints of your own key(s). Also provide a place to mark that your hashes match. Be on time to actually verify the hashes as they are announced! e.g.

I am number 001
My key-id & fingerprint: ☑
The hashes:              ☐

To avoid descending into chaos, the organiser will line up the participants in the order of the list.

  1 - 2 - 3 - 4 - 5 - 6 - 7 - 8

Next, this line folds onto itself, so everyone is facing another participant.

  1 - 2 - 3 - 4
  8 - 7 - 6 - 5

After the participants have verified each other's identity, the whole line moves one step to their right. Participants on the end of the line move to the opposite line. That way, everyone should be facing the next person on their list (modulo no-shows).

      2 - 3 - 4 - 5
  1 - 8 - 7 - 6
  2 - 3 - 4 - 5
  1 - 8 - 7 - 6

After the event

Please complete your signing homework before Thursday, 30 April 2020, and send your key signatures to the verified key owners, or upload them to a well-connected keyserver. You may find caff a helpful tool.