Keysigning Party

Where? When?

Next OPLUG meeting.

Wednesday, February 5th - 2003 at 19:00 CET
Lincoln Pub
Vogts gt. 43, Torshov
Oslo, Norway

What's a key-signing party?

A key-signing party is a get-together with PGP users for the purpose of meeting other PGP users and signing each other's keys. This helps to extend the "web of trust" to a great degree. Also, it sometimes serves as a forum to discuss strong cryptography and related issues.

What do I need for this party?

Required Items
  1. Physical attendance
  2. Positive picture ID
  3. Your Key ID, Key type, HEX fingerprint, and Key size
  4. A pen/pencil or whatever you'd like to write with....

Required Process
  1. Generate a key/Remember your pass phrase
  2. All attendees send their public keys to a public keyserver. For this party, we'll use www.keyserver.net. 
    gpg --keyserver www.keyserver.net --send-key <Your_Key_ID>
  3. All attendees send their key ID, key type, fingerprint, and key size to sverrest@opera.no, who will compile everyone's key information. 
    sverrest@rachel:~$ gpg --fingerprint --list-keys `who am i`
pub  1024D/ABACC699 2001-02-23 Sverre Stoltenberg <sverrest@opera.no>
     Key fingerprint = CCFC 5D16 0354 006B AB46  DB65 D9FD 8ED8 ABAC C699
sub  1024g/572EE7DA 2001-02-23
  4. I will print a list like this with everyone's key ID, key type, fingerprint, and key size from the compiled keyrings and distribute copies of the printout at the meeting.
    Key IDKey OwnerKey FingerprintKey sizeKey typeKey Info Matches?Owner ID Matches?
    ABACC699Sverre Stoltenberg <sverrest@opera.no>CCFC 5D16 0354 006B AB46 DB65 D9FD 8ED8 ABAC C6991024DSA  
  5. Attend the party. Bring along a paper copy of your key ID, key type, key size and fingerprint that you obtained from your own keyring. You must also bring along a suitable photo ID. Instruct the attendees at the beginning that they are to make two marks on the listing, one for correct key information (key ID, key type, fingerprint, and key size) and one if the ID check is ok.
  6. At the meeting each key owner reads his key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID's to sign or not. If the key information matches your printout then place a check-mark by the key.
  7. After confirming that the key information on the key server matches the printout that you have checked, sign the appropriate keys. Keys can only be signed if they have two check-marks. 
    sverrest@rachel:~$ gpg --keyserver www.keyserver.net --recv-keys <Key_ID>

    If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

    Step 2: Fingerprint and Verify the key

    sverrest@rachel:~$ gpg --fingerprint <Key_ID>

    GPG will print out the fingerprint of the Key with <Key_ID> (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

    Step 3: Sign the key

    sverrest@rachel:~$ gpg --sign-key <Key_ID>

    If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

    sverrest@rachel:~$ gpg --default-key <Key_to_use> --sign-key <Key_ID>
  8. Send the signed keys back to the keyservers. 
    sverrest@rachel:~$ gpg --keyserver www.keyserver.net --send-key <Key_ID>

    You should see a success message like this:

    gpg: success sending to `www.keyserver.net' (status=200)
  9. Use those keys as often as possible.

What can go wrong?

They have deprecated some config so if you get a warning about --honor-http-proxy, just add

sverrest@rachel:~/.gnupg$ grep keyserver-options options
keyserver-options honor-http-proxy

If gpg complains about insecure memory, look at http://www.gnupg.org/documentation/faqs.html#q6.1