Zimmermann-Sassaman Projected Protocol

Versão em Português

0. Variant

This protocol is a variation of the one described at Phil Zimmermann e Len Sassaman.

1. Requirements

• A key pair.
• Two ids with recent photo (or, at least, closest to your look today), at least one of them issued by a governmental entity.
• A copy of the fingerprint of your public key.

2. Before the party

Key sending

Send your public key to the party key server until the deadline:

bash$ gpg --keyserver ksp.softwarelivre.org --send-keys KeyID

Key list

Before the party a partitipant key list should be published. You must obtain a copy of this list and calculate the MD5 and SHA1 hashes of the file, authenticating them against the hashes given along with the list. Again, it's really important that you yourself calculate these hashes. This is how to do it:

bash$ gpg --print-md md5 keylist.txt
bash$ gpg --print-md sha1 keylist.txt

Print this list and bring these numbers written on top of it, at the appropriate spot. Again, it's really important that you yourself print the list; do not trust already printed lists. That's why Party Organizers do not provide ready and printed lists.

3. During the Party

Hash reading

At the party the MD5 and SHA1 hashes will be read at the beginning. If the hashes match with the one you have written, check the appropriate spot in the list.

Document Presentation and Fingerprint Checking

After the hash reading, in the list order, every participant takes his documents to the front, puts them in the projector provided by the organization and states so everyone can hear that the fingerprint printed in the list is from his own key. All others mark in the appropriate spot of the list if (1) they're satisfied with the document, (2) the name matches the one in the document, and (3) the participant confirmed the fingerprint.

This process is the most time-consuming, and was designed to be as quick as possible, allowing that a large number of signatures can be obtained. Party is over when the last one in the list go through the process.

4. After the Party

Obtain party keyring

In the website for the party you'll find the keyring containing all the keys in the list, in binary GPG format and as an ASCII-armored file. You can easily import the whole keyring:

bash$ gpg --import keyring.gpg

List processing

With the list you brought from the party, with the appropriate markings, you can choose the best way to sign the keys that you have correctly verified. This procedure is beyond the scope of this document (check how to sign automatically using caff or manually one by one the cryptographic keys).

What to do with the signed keys?

It's controversial whether you should send the signed keys to a public keyserver or back to its owner, so he/she do whatever he/she likes. It's generally considered Good Practice™ to send it back to its owner. This process can be rather slow and tedious if you've chosen to sign manually each key... Luckily, caff before mentioned follows this practice, and we recommend its use.

-- PabloLorenzzoni - 08 May 2009