[ClusterLabs Developers] [HA/ClusterLabs Summit] Key-Signing Party, 2017 Edition

Jan Pokorný jpokorny at redhat.com
Fri Jul 21 19:15:07 UTC 2017


Hello cluster masters :-)

as there's little less than 7 weeks left to "The Summit" meetup
(<http://plan.alteeve.ca/>), it's about time to get the ball
rolling so we can voluntarily augment the digital trust amongst
us the attendees, on OpenGPG basis.

Doing that, we'll actually establish a tradition since this will
be the second time such event is being kicked off (unlike the birds
of the feather gathering itself, was edu-feathered back then):

  <https://people.redhat.com/jpokorny/keysigning/2015-ha/>
  <http://lists.linux-ha.org/pipermail/linux-ha/2015-January/048507.html>

If there are no objections, yours truly will conduct this undertaking.
(As an aside, I am toying with an idea of optimizing the process
a bit now that many keys are cross-signed already; I doubt there's
a value of adding identical signatures just with different timestamps,
unless, of course, the inscribed level of trust is going to change,
presumably elevate -- any comments?)

* * *

So, going to attend summit and want your key signed while reciprocally
spreading the web of trust?
Awesome, let's reuse the steps from the last time:

Once you have a key pair (and provided that you are using GnuPG),
please run the following sequence:

    # figure out the key ID for the identity to be verified;
    # IDENTITY is either your associated email address/your name
    # if only single key ID matches, specific key otherwise
    # (you can use "gpg -K" to select a desired ID at the "sec" line)
    KEY=$(gpg --with-colons 'IDENTITY' | grep '^pub' | cut -d: -f5)

    # export the public key to a file that is suitable for exchange
    gpg --export -a -- $KEY > $KEY

    # verify that you have an expected data to share
    gpg --with-fingerprint -- $KEY

with IDENTITY adjusted as per the instruction above, and send me the
resulting $KEY file, preferably in a signed (or even encrypted[*]) email
from an address associated with that very public key of yours.

Timeline?
Please, send me your public keys *by 2017-09-05*, off-list and
best with [key-2017-ha] prefix in the subject.  I will then compile
a list of the attendees together with their keys and publish it at
<https://people.redhat.com/jpokorny/keysigning/2017-ha/>
so it can be printed beforehand.

[*] You can find my public key at public keyservers:
<http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0x60BCBB4F5CD7F9EF>
Indeed, the trust in this key should be ephemeral/one-off
(e.g. using a temporary keyring, not a universal one before we
proceed with the signing :)

* * *

Thanks for your cooperation, looking forward to this side stage
(but nonetheless important if release or commit[1] signing is to get
traction) happening and hope this will be beneficial to all involved.

See you there!


[1] for instance, see:
    <https://github.com/blog/2144-gpg-signature-verification>
    <https://pagure.io/pagure/issue/885>

-- 
Jan (Poki)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/developers/attachments/20170721/4f45d285/attachment-0003.sig>


More information about the Developers mailing list