利用 COSCUP 2013 的會後時間,舉辦 Key signing party[1][2]!

由於開放原碼社羣十分分散,難得有機會面對面,為了方便合作以及增強遠距聯絡的可靠性,我們可以利用實體聚會的機會交換並簽署 PGP 金鑰,以建立 Web of Trust[3]。這組金鑰除了便利確認身份,也可於通訊中加密訊息,避免各國官方政府日漸加強的網絡監視。

參加活動

產生一組 RSA 4096 bits 以上的金鑰[4],並將該金鑰送到 pgp.mit.edu.
請在 8/2 日前於表單[5]中提供你的電子郵件 (UID)、Fingerprint. 請你於 8/3 準時到達現場,並攜帶可信賴的有照證件以及一枝筆。

報名網址: http://bit.ly/16r2qJc

活動時間

請於 2013/08/03 第一日最後一場演講 17:20 結束後,於一樓東大門大廳 (鳳凰雕塑) 會面。
請跟主持人索取金鑰列表,檢查你的個人資訊,並依照對照表的次序排成隊伍。

其他注意事項

請勿簽署你未曾謀面的人的金鑰,請仔細檢查對方的身份證件以及個人簽章後才正式簽署。
請勿攜帶電腦於現場進行簽署。

此活動非 COSCUP 團隊發起,請聯絡主辦人: Rex Tsai

[1] https://en.wikipedia.org/wiki/Key_signing_party
[2] http://linuxreviews.org/howtos/gnupg/signingparty/
[3] https://en.wikipedia.org/wiki/Web_of_trust
[4] http://wiki.debian.org/Keysigning
[5] http://bit.ly/16r2qJc

I should replace my key long time ago, after there are security flaws has been identified in SHA-1. The US NIST also suggested to transit to stronger SHA-2 hash functions.

I followed the key replacement rules of Debian and Apache and created the new key. If you have validated my old key, Here is my transition statement for the new new 4096 bit RSA key –

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA512


I am transitioning GPG keys from an old 1024-bit DSA key to a new
4096-bit RSA key. The old key will continue to be valid for some
time, but I prefer all new correspondence to be encrypted in the
new key, and will be making all signatures going forward with the
new key.

This transition document is signed with both keys to validate the
transition.

If you have signed my old key, I would appreciate signatures on my new
key as well, provided that your signing policy permits that without
reauthenticating me.

The old key, which I am transitional away from, is:

pub   1024D/DC76FEB9 2004-09-18 Rex Tsai 
 Primary key fingerprint: 1700 7040 CBD7 5DB4 4956  959B 3A5E 166D DC76 FEB9

The new key, to which I am transitioning, is:

pub   4096R/3860D2A5 2011-05-20 Rex Tsai (蔡志展) 
 Primary key fingerprint: CDC8 966D A547 6B1F CEB8  6D49 86A6 03D4 3860 D2A5

To fetch the full new key from a public key server using GnuPG, run:

  gpg --keyserver keys.gnupg.net --recv-key 3860D2A5

If you have already validated my old key, you can then validate that the
new key is signed by my old key:

  gpg --check-sigs 3860D2A5

If you are satisfied that you've got the right key, and the UIDs match
what you expect, I'd appreciate it if you would sign my new key.

If you then want to sign my new key, a simple and safe way to do that is
by using caff (shipped in Debian as part of the "signing-party" package)
as follows:

  caff 3860D2A5

In the other way, you can sign the key and send it to me as following 
commands:

gpg --sign-key 3860D2A5
gpg --armor --export 3860D2A5 | mail -s 'OpenPGP Signatures' \
        [email protected]
gpg --keyserver pgp.mit.edu --send-key 3860D2A5

Please contact me via e-mail at  if you have
any questions about this document or this transition.

Thanks.

Regards
Rex Tsai, 2011-05-21
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3WnNEACgkQOl4Wbdx2/rnujQCbBV+TSHWapsMrd5d06RKxkgT3
csUAnRpDr6obff4Fuj/P530f6pVT5WTXiQIcBAEBCgAGBQJN1pzRAAoJEIamA9Q4
YNKldvgP/2ej6EDhrGj/1dNkIdkWmKNXsj4OMWKcvDP6M+VnlkWtFaDQxYBb73Ea
vBhAgDZL7MhUwVbn9zydVInFpA9vtdsBwd6Hr3+rp+iv076TennKYP+qo7YDX5Ga
7s73Tim8Tn6AwYdBhyhFPJPZ/fEUknKNOWILu7eUjeQ+C7ndPNEe6VRvCJvJaHwa
aJ6b8kpeRG6UYQFGw/o2e0XGtEpek8dRiqk2sVnOVR/d0C6/u+2oQuGRVtX/uKd1
2E3HYPh/Y1RTqENYrCd39v8nA6NUzuw8kOpIx8MZ51iN4DB+YfusV8mtzhZIkVQP
y2BZ0jL2C2xFlCER7Cxlp8VpsKcz/tEixytciC0aOuoUoER7LQvfkQGs+pcTj8Fl
PQLmwgnqIM4PPQ4cSyhsFgmSkbFcDyxtStVLMEtJKKAJ0dOuqa13R0MKuRkg5WMP
u07EKBITk50QlqzXrJwM7I8FszIigbdWWQD2qNbXLpHcZNo5m5CshOVgTCy+t7E4
Z0gQ3DnZAsy+tclCjCeb6MdjRqF27C9LdWjNwHHcw71X2yqRXqEN8fb1JcXBSU5a
7AgiIMnDgw3BAm1QLQ/eEk8J7KuKvsFFK+hFpSs4mahYLUtExzSsEN7RbCQptSIc
4FfZUXS3bg+by4zF/2eSGI+FeMq7CIz4aX1JdfucBiFCNUCRhFPT
=kr5F
-----END PGP SIGNATURE-----