lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20131017212211.GA15197@gmail.com>
Date:	Thu, 17 Oct 2013 17:22:11 -0400
From:	Konstantin Ryabitsev <mricon@...nel.org>
To:	ksummit-2013-discuss@...ts.linux-foundation.org,
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Pubring and instructions for the KS 2013 keysigning

Hello, all:

I collected 36 keys from people interested in keysigning at the
Kernel Summit. I have uploaded the fingerprints and the keyring to the
following locations:

https://www.kernel.org/doc/ks/ks2013-fingerprints.txt
https://www.kernel.org/doc/ks/ks2013-keyring.gpg

This is the sha1sum of the keyring:
d9bb4f0519a5453fb445dbdc9e2bfee5b721332b

You can import the keyring using "gpg --import" command.

WARNING: just in case someone jumps the gun -- these fingerprints were
taken at "face value". I DID NO VERIFICATION WHATSOEVER whether these
keys belong to the actual people. DO NOT sign any of these keys
without the verification procedure at the Kernel Summit. My GPG
signature on this email is in no way an endorsement of these keys.

Here's how the procedure will play out:

1. Some time on Thursday during plenary meetings, I will take 5 minutes
   of your time to introduce myself and to recite the sha1sum of the
   keyring available for download from the link above. People with laptops
   capable of downloading the keyring and running "sha1sum" (should be
   about 95% of the audience, I think) can validate whether the hash
   verifies. Someone from those present who can identify me will state
   that I am indeed who I am.
2. I will also make available printed worksheets with people's names
   and key fingerprints (or print your own -- see attached).
3. If you are willing to sign people's keys, please obtain from me a
   copy of the worksheet, a short pencil, and a spider sticker (because
   it's Hallowe'en and they were on sale, plus because it clearly
   means "Web of Trust").
   a. Affix the spider sicker to your KS badge to indicate that
      you're willing to sign keys.
   b. Fold the worksheet and keep it in your KS badge.
   c. Keep the brass lantern^W^W short pencil in your badge, too.
4. During lunch and later during the day, if someone approaches you
   and asks to sign their key:
   a. Keep calm and carry on.
   b. Locate their name on the worksheet.
   c. Ask to see some government-issued ID to verify their identity.
   d. Alternatively, ask personal/kernel-related questions which only
      that person would be able to answer (see Harry Potter books 6 and 7).
5. If you are comfortable in asserting that the person asking your
   signature is who they say they are, put an "X" next to their name on
   the worksheet using the pencil provided (or an alternative writing
   utensil should there be a dearth of pencils).
6. When you get back to your laptop, run "gpg --sign-key [keyid]" for
   all the people marked "X" on your worksheet (assuming you ran "gpg
   --import ks2013-keyring.gpg" already). If a person has multiple keys,
   sign all of them.
7. Lastly, do "gpg --send-keys [keyid]" to upload the newly signed key
   to the keyservers.

If you're attending the Kernel Summit but have not submitted your key in
time -- or, alternatively, if you are attending LCE/CloudOpen but have
not been invited to the KS... do not despair!

Use the following procedure instead:

1. Write out your key on your business card, or
2. Make a QR code of the fingerprint and put it on your phone so
   others can scan it (e.g. like this http://goo.gl/xrdHz9, using
   this: http://www.unitaglive.com/qrcode).
3. Locate people sporting stylish spider stickers on their badges and ask them to
   sign your key. People with stylish spider stickers are likely in the
   kernel.org web of trust and have volunteered to participate in
   keysigning.


If you have any questions, please let me know.

Best,
-- 
Konstantin Ryabitsev
Systems Administrator
Linux Foundation, kernel.org
Montréal, Québec

Download attachment "ks2013-worksheet-2x.pdf" of type "application/pdf" (231664 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ