What is a key-signing party?

A key-signing party is a get together with GnuPG/PGP users for the purpose of meeting other GnuPG/PGP users and signing each other's keys. This extends the Web of Trust that GnuPG/PGP relies upon. At the March OCLUG meeting there will be a party for all participants. Anyone and everyone is invited.

We sign keys because GnuPG/PGP is based upon a Web of Trust. This web of trust is what ensures that nobody can pretend to be you and that you can really believe that a message you receive from Bob is really from Bob. The more deep and tightly inter-linked the web of trust is, the more difficult it is to defeat.

What do I need to bring?

  1. You (physical attendance is absolutely required)
  2. One or more forms of identification
  3. Your key ID, Type, fingerprint and size
  4. A pen or pencil
  5. NO COMPUTER

What do I do BEFORE the party?

Email a copy of your public key to < oclugkeyparty@mrball.net> If you do not have a gpg key or do not yet have it installed, more information is below. The commands you should use look something like this:

$ gpg --fingerprint [emailaddress]
pub  1024D/123ABC4D 2001-03-28 Your Name <you@example.com>
     Key fingerprint = 3380 B5DC 0568 A909 DAFD  89E7 3B4D 9DD4 123A BC4D
sub  1024g/567EFG8H 2001-03-28 [expires: 2002-03-28]

Make a note of your key ID, it is the part following "pub 1024D/". The 1024D is the key Size and Type, the part after the slash is the key ID and the fingerprint should be obvious.

$ gpg --fingerprint [KEYID] > pubkey.txt
$ gpg --armor --export [KEYID] >> pubkey.txt

The command that I used is below. My Key ID is AE127015. You may also use the email address you entered during key creation to find out your key ID. By the way, the key ID is not case sensitive. AE127015 is the same as ae127015 to gnupg.

$ gpg --fingerprint AE127015 > pubkey.txt
$ gpg --armor --export AE127015 >> pubkey.txt

Cut/paste the contents of that file into an email. Please do not send it as an attachment. You may view mine here or the one of the original author of this page here.

This is going to be a keyring style party where I email a copy of a keyring to all the participants. That makes it slightly more complicated than a keyserver based party but I feel the added control is worthwhile. Furthermore there are those who are concerned about the "public public-key" issue.

Print out a copy of the --fingerprint output. You must bring this to the March OCLUG meeting.

What do I do DURING the party?

A worksheet for everyone at the party will be prepared. It will list the fingerprints of every key I received in time for the party.

Phase one: Consists of key identification. In the order on the sheet each of us will stand and read our own fingerprint from the copy we brought. Reading the fingerprint consists of reading your key size, type, ID and fingerprint. There will be checkboxes down the side of the sheet, two next to each fingerprint. The first box is checked off as each person reads their key.

Phase two: we will form a big conga line. The first person will turn around and walk down the line examining identification and checking the second box on the paper if it matches to their satisfaction. The amount of evidience required to "Positively ID" an individual is a personal choice. Whatever it takes to convince you that the person you see really is the person identified by that key is sufficient. A passport and drivers license is often touted as a good combination but you have to make up your own mind. Remember that when you sign a key, you are telling the world that you believe and trust that the key belongs to that person.

What do I do AFTER the party?

After the party you will receive a rather large email containing the keyring from the party. This is the really time consuming part that will test your mettle. You must run the following command for every key on the sheet.

$ gpg --no-default-keyring --keyring ./oclug.gpg --sign-key [KEYID]

You will be prompted with the fingerprint of the key to compare against the printout you checked off. It is very important that you compare the two. If it all checks out, answer "Yes" and you will be prompted for your passphrase. Once you enter it, you are certifying to the world that the key really belongs to the person you met at the party. Note: this is the secret passphrase for YOUR key.

Once you have completed doing that to each of the keys on the ring, mail a copy back to Todd (me). He will compile all the signatures and send the final ring with all signatures to all participants. When you receive the final set of keys, all you need to do is import them. At your option you may upload your signed key to a keyserver. Please note that it is considered poor form to upload someone else's key to a keyserver without their permission.

I don't have GPG/I don't have a GPG Key!

You could use the summary instructions in The Keysigning Party HOWTO or read up on GnuPG at the official site. If this is your first time using GnuPG, you are STRONGLY urged to read the documentation at GnuPG.org. Also, consider setting an expiration date on your first key of a few years. That way any potential mistakes that you make while learning will eventually go away when the key expires.