Warning: main(http://www.linuxsymposium.org/includes/header-ols-2003.php) [function.main]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/willy/public_html/wot/ols2003/sassaman.php on line 3

Warning: main() [function.include]: Failed opening 'http://www.linuxsymposium.org/includes/header-ols-2003.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/willy/public_html/wot/ols2003/sassaman.php on line 3

Due to the exceptionally large number of people (well in excess of 100) attending this year's OLS keysigning, it would take too long to have each individual read out their fingerprint. We are opting to use a slightly modified form of the Sassaman Efficient Group Key Signing Method.

For Lazy People

Before you come to OLS

Download a copy of the sassaman file.
Verify your fingerprint in that file is the same as the one you have written down. If it isn't, you might want to contact the organisers.
Create an md5sum of it. Optionally, also create an sha1sum of it.
Write the checksums down on the same piece of paper as your fingerprint.
Don't forget to bring the piece of paper.

The md5sum should be the same as this one and the sha1sum should be the same as this one. If it isn't, again, ask the organisers. You might want to check that line endings haven't been mangled or other whitespace mangled.

During the meeting

I will stand up at the front and recite both the md5sum and the sha1sum.
You should verify that at least the md5sum and optionally the sha1sum that I read out match what you wrote down.
I shall call on each of you in turn to verify that the fingerprint in the file matches what you saw in the sassaman.txt file.
As other people stand up to confirm their fingerprint, put a tick in the box next to their name labelled "Key Info".

When you get home, verify the sassaman.txt file against the fingerprints gpg generates. You can now be sure that the file you have is the same as the file everybody else had and that everybody who attended the keysigning event had the same fingerprint as the one by their name in this file.

The Sassaman file?

The original version of this web page had a link to sassaman.txt in this directory. Some people feel this makes it too easy for spammers to grab their email address. To address this concern, there is no link to the sassaman.txt file, but the easiest way to get it is to replace the ‘.php’ on the end of this URL with ‘.txt’.

For Crypto Geeks

We diverge from Sassaman's method at his Step 5. Rather than have each individual print out a copy of the text file, simply make a note of the md5sum (and/or sha1sum) on the same piece of paper where you have a hardcopy of your key (which you were going to bring to the keysigning anyway ;-). Then, when you get home, check the fingerprints in the sassaman file match the one gpg prints out when you ask it to sign a key.

We distribute the md5sum and sha1sum via the website to make sure this won't be a wasted trip because whitespace got mangled in someone's download.

Let's just follow the chain of trust & verification here:

When Alice verifies Bob's fingerprint, she must be sure that the fingerprint that gpg tells her is the same as the one Bob told her.
Bob verifies that his fingerprint in the file matches the one his copy of gpg produced.
Bob verifies the announced checksum for the file matches his checksum for the file.
Alice verifies the announced checksum for the file matches her checksum for the file.
Bob asserts to Alice that the fingerprint in the file by his name really is his.
Because Alice and Bob have the same checksum for the file, they know they are looking at the same file.
Alice can now be sure that Bob's fingerprint in the file matches the one Bob gets at home.