GPG Key Signing
We will once again be holding a PGP key-signing. To participate please
email your public keys to email@example.com at least a week
prior to the symposium.
In addition to the reading of fingerprints, we will discuss
migration from PGP to GPG.
- Generate a key/Remember your pass phrase. Most of you have already do
Use one of:
% gpg --armor --export myid | Mail -s myid firstname.lastname@example.org
% pgp -kxa myid /tmp/mykey.asc &&
Mail -s myid email@example.com </tmp/mykey.asc
% pgpk -xa myid | Mail -s myid firstname.lastname@example.org
- We will print a list with everyone's key ID, key type, fingerprint, and
key size from the compiled keyrings and distributes copies of the
printout at the meeting.
We are hoping to be able to use only GPG for this, but likely will have
to produce PGP2 and PGP5 lists.
- Attend the party. Bring along a paper copy of your key ID, key type,
fingerprint, and key size that you obtained from your own keyring.
You must also bring along a suitable photo ID. Particularily if your
face is not well known!
- At the meeting each key owner reads his key ID, key type, fingerprint,
key size, and user ID from his own printout, not from the distributed
listing. This is because there could be an error, intended or not, on
the listing. This is also the time to tell which ID's to sign or
not. If the key information matches your printout then place a
check-mark by the key.
- After everyone has read his key ID information, have all attendees form a line.
- The first person walks down the line having every person check his ID.
- The second person follows immediately behind the first person and so on.
- If you are satisfied that the person is who they say they are, and that
the key on the printout is theirs, you place another check-mark next to their
key on your printout.
- Once the first person cycles back around to the front of the line he
has checked all the other IDs and his ID has been checked by all others
- After everybody has identified himself or herself the formal part of
the meeting is over. You are free to leave or to stay and discuss
matters of PGP and privacy (or anything else) with fellow PGP users. If
everyone is punctual the formal part of the evening should take less than an
- After confirming that the key information on the key server matches the
printout that you have checked, sign the appropriate keys. Keys can only be
signed if they have two check-marks.
- Send the signed keys back to the keyservers, and to the key owners.
- Share and Enjoy. Use those keys as often as possible.
Please also see
1.1 What exactly is a key signing party?
A key signing party is a get-together of people who use the PGP encryption
system with the purpose of allowing those people to sign each others
keys. Key signing parties serve to extend the web of trust to a great
degree. Key signing parties also serve as great opportunities to discuss the
political and social issues surrounding strong cryptography, individual
liberties, individual sovereignty and even implementing encryption
technologies or perhaps future work on free encryption software.
1.2 What is key signing?
Key signing is act of digitally signing a public key. You can digitally sign
your own public key, or another entity's public key. Key signing is done to
verify that a given public key really does belong to the entity that appears
to own the key. In a sense, key signatures validate public keys. This is the
way in which key signing builds the web of trust.
1.3 What is a web of trust?
A web of trust is a term used to describe the trust relationships between a
group of keys. A key signature is a link, or strand if you will, in the web
of trust. These links are called Trust Paths. Trust paths can be
bidirectional or only one way. The ideal web of trust is one in which
everyone is connected bidirectionally to everyone else. In effect, everyone
trusts that every key does in fact belong to its owner. The web of trust can
be thought of as the sum of all the trust paths, or links, between all key