Those interested in taking part you'll want to bring with you your
$ gpg --fingerprint 16A0DE01
pub 4096R/16A0DE01 2011-01-28
Key fingerprint = 19BB CAEF 7B19 B280 A0E2 175E 62D4 8FAD 16A0 DE01
uid Ben Reser <ben_at_reser.org>
uid Ben Reser <breser_at_apache.org>
uid Ben Reser <ben.reser_at_wandisco.com>
sub 4096R/5EF5CC13 2011-01-28
Please be sure to include all the UIDs that you also want signed for that key.
If it isn't already obvious to everyone, we probably will not be
actually signing but rather confirming identity and you confirming in
person that a given keyid/fingerprint combo is yours. Everyone will
then sign later.
We'll be doing this somewhat adhoc, since I didn't really have time to
get this fully organized. If possible bring several printed copies of
the above information that we can hand out to everyone that would be
ideal. I realize some people may not have time to do this in advance
or access to a printer since some people may already be traveling. If
you're in this boat please respond here ASAP and I'll see what I can
do to help you.
The basic pattern will be that we will take turns being the signer and
the person asking for a signature. The requestor will provide a copy
of their keyid/fingerprint and the signer will check ID and confirm
What ID you want to provide is up to you and what ID people want to
accept is up to them.
Nobody is compelled to sign a key or UID they do not feel comfortable signing.
On Fri, Oct 5, 2012 at 3:10 PM, Ben Reser <ben_at_reser.org> wrote:
> Given that we're coming up on a couple of opportunities for various
> developers to get together an potentially sign keys I thought I'd
> bring this subject up.
> 1) SHA-1 based keys should be migrated off of. The US Government's
> requirement of agencies was to stop using SHA-1 by the end of 2010.
> We're nearly 2 years past that date and there are actually several
> people still signing releases with such keys. In particular if you're
> still using a 1024 DSA key that means you. You can check by looking
> at your looking at how GPG represents your key, if it says 1024D then
> you need to replace that key. Details on a sane way of migrating keys
> can details about the situation can be found on this blog:
> If you have any questions about this I'll do my best to answer them.
> 2) There is going to be 2 opportunities in the coming months when
> several of us are together that it may be useful to carry out a key
> signing party.
> a) Greenwich, Connecticut USA October 13th - 15th at the
> mini-hackathon before SVN Live.
> b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.
> I plan on organizing key signing at both events if there is sufficient
> people interested and there will be keys that need signing. Given the
> issue the SHA-1 issue described above and the key signing party
> options. Now might be a excellent time to generate a new key,
> especially if you're planning on attending one of those events.
> If you're interested in participating in something like that at one of
> those locations, please reply and indicate which location(s) you'll be
> available to attend and the dates you'll be available (since some
> people may not be available the whole time). Based on this
> information I'll try to coordinate something that hits the maximum
> number of people and generates the biggest web of trust.
> This is not just an opportunity for developers to sign each others
> keys but also an opportunity for some of our users to sign our keys
> and potentially enhance their trust of our signatures. So feel free
> to pass this information along to anyone that's interested.
> I'd like to plan the details for the Greenwich, Connecticut
> opportunity no later than Tuesday October 8th, so please reply ASAP if
> you're interested in that. I'll post more details once I've figured
> them out.
Received on 2012-10-10 05:27:47 CEST