2002 Linux Symposium
navigation

gpg keysigning

related

GPG Key Signing

We will once again be holding a PGP key-signing. To participate please email your public keys to keys@linuxsymposium.org at least a week prior to the symposium.

In addition to the reading of fingerprints, we will discuss migration from PGP to GPG.

Required Process

  1. Generate a key/Remember your pass phrase. Most of you have already do this.
      Use one of:
    
      GnuPG 
      % gpg --armor --export myid | Mail -s myid keys@linuxsymposium.org
    
      pgp2:
      % pgp -kxa myid /tmp/mykey.asc &&
            Mail -s myid keys@linuxsymposium.org </tmp/mykey.asc
    
      pgp5:
      % pgpk -xa myid | Mail -s myid keys@linuxsymposium.org
    
    
  2. We will print a list with everyone's key ID, key type, fingerprint, and key size from the compiled keyrings and distributes copies of the printout at the meeting. We are hoping to be able to use only GPG for this, but likely will have to produce PGP2 and PGP5 lists.
  3. Attend the party. Bring along a paper copy of your key ID, key type, fingerprint, and key size that you obtained from your own keyring. You must also bring along a suitable photo ID. Particularily if your face is not well known!
  4. At the meeting each key owner reads his key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID's to sign or not. If the key information matches your printout then place a check-mark by the key.
  5. After everyone has read his key ID information, have all attendees form a line.
  6. The first person walks down the line having every person check his ID.
  7. The second person follows immediately behind the first person and so on.
  8. If you are satisfied that the person is who they say they are, and that the key on the printout is theirs, you place another check-mark next to their key on your printout.
  9. Once the first person cycles back around to the front of the line he has checked all the other IDs and his ID has been checked by all others
  10. After everybody has identified himself or herself the formal part of the meeting is over. You are free to leave or to stay and discuss matters of PGP and privacy (or anything else) with fellow PGP users. If everyone is punctual the formal part of the evening should take less than an hour.
  11. After confirming that the key information on the key server matches the printout that you have checked, sign the appropriate keys. Keys can only be signed if they have two check-marks.
  12. Send the signed keys back to the keyservers, and to the key owners.
  13. Share and Enjoy. Use those keys as often as possible.

Please also see http://www.cryptnet.net/fdp/crypto/gpg-party.html.

FAQ

1.1 What exactly is a key signing party?

A key signing party is a get-together of people who use the PGP encryption system with the purpose of allowing those people to sign each others keys. Key signing parties serve to extend the web of trust to a great degree. Key signing parties also serve as great opportunities to discuss the political and social issues surrounding strong cryptography, individual liberties, individual sovereignty and even implementing encryption technologies or perhaps future work on free encryption software.

1.2 What is key signing?

Key signing is act of digitally signing a public key. You can digitally sign your own public key, or another entity's public key. Key signing is done to verify that a given public key really does belong to the entity that appears to own the key. In a sense, key signatures validate public keys. This is the way in which key signing builds the web of trust.

1.3 What is a web of trust?

A web of trust is a term used to describe the trust relationships between a group of keys. A key signature is a link, or strand if you will, in the web of trust. These links are called Trust Paths. Trust paths can be bidirectional or only one way. The ideal web of trust is one in which everyone is connected bidirectionally to everyone else. In effect, everyone trusts that every key does in fact belong to its owner. The web of trust can be thought of as the sum of all the trust paths, or links, between all key holding parties.

2004
© 1999-2002 Linux Symposium.  All Rights Reserved.