Personal tools
You are here: Home User Contributed Files Key Signing Party
Document Actions

Key Signing Party

by Neil Schneider last modified 2005-05-02 02:15

Describes a past KPLUG sponsored keysigning party that was held in conjunction with a regular KPLUG meeting.

jhriv Keysigning Party Prerequisites

Before the meeting:

  1. have a PGP/GPG key
  2. it must be accessible
    • you can either upload it to a keyserver:
            gpg --keyserver wwwkeys.kernel-panic.org --send-key <keyid>
      
    • you can email it directly to me and i will put it on a keyserver
  3. indicate to me a desire to have your name added to the Official List
    • i will gather the names from the current subscribers that i can find keys for on any of the public servers. i can easily search directly through kplug's own keyserver, i cannot as easily search through the rest of the keyserver network
    • again, you can send me a private note with your keyid, or sign your message and i can get your keyid that way.

At the meeting:

  1. a pen
  2. photo ID (preferably two)

What happens at the meeting?

During the Social Hour portion of the meeting, those of us wishing to participate will all migrate to one area. I will distribute the sheets with the fingerprints on them.

They will look similar to this:

      Type Bits KeyID      Created    Expires    Algorithm                 Use

      [ ] pub  1024 0x29E0E66B 2001-01-16 2006-01-31 DSA                  Sign only
      f20    Fingerprint20 = 2942 DD0F 77F4 711A DA26  0C86 3199 B176 29E0 E66B
      ( ) uid  John H. Robinson, IV <jaqque@debian.org>

In the order on the sheet, we will each verify that the fingerprint on the sheet is correct, and read aloud the fingerprint. this is to verify that no one has the wrong sheet, and that no-one (me?) has tampered with the identities. when the verbal fingerprint matches the printed one, check it off in the [ ] pub block of your copy.

After all the fingerprints have been verified, we will pass around the ID's in a clockwise order. once you have verified the ID, you can check off the ( ) uid block of your copy.

If you feel that is sufficient, you may then go home and sign the keys that you have two check marks for.

For more information, please see: http://www.cryptnet.net/fdp/crypto/gpg-party.html

For further assurances

Separately, go to that person and exchange tokens. A number and a word are excellent choices (23 skidoo). One of them will be the send and the other the receive (the other person will use the same tokens, only oppositely) try to make them non obvious ;) Call these Secret A and Secret B.

Once you get home, you can then send them an email encrypted to their UID, to the email listed on that UID, and sign it with the key that you wish to have signed. Include in that email Secret A. Also include a new secret, Secret C.

The other person should then send back to you the Secret C, signed by the key they want you to sign and encrypted to the key that you signed your email with originally.

Since the other person is doing the same thing, there can be up to four secrets involved in a single key-signature exchange.

This verifies the following:

  1. the email on the key is good
  2. the respondent has control of the secret key
  3. the person you are communicating with is the person (or knows very well the person) that you met at the signing party

I prefer using Manoj's Protocol (as the above is known as) because it helps to ensure that your signature means you have done dutiful checks. this makes your signature more meaningful in the web of trust.

For more information on the above additional checks, please see this page

« March 2019 »
Su Mo Tu We Th Fr Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
 

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: