Keysigning Party

When technical people collide in meatspace, an exciting opportunity presents: exchanging PGP fingerprints. Exchanging fingerprints bolsters the quality of PGP's web of trust and improves the safety and utility of PGP for everyone.

To this end, a casual PGP key-signing party is to be held during Kiwicon in the Upstairs Foyer on Saturday evening, at 7pm.

Update 2013-10-22: At least one CAcert assurer will also be present - eythian (Robin Sheat) has generously volunteered his services as an assurer.

 

What is PGP? Why do I want a PGP key? How do I get a PGP key?

Pretty Good Privacy (PGP) is a software suite and Internet standard for encryption and authentication. The OpenPGP standard is widely implemented in e-mail clients, and has seen wider deployment than some of its nearby neighbors. There is also a popular and nifty free software implementation. If you're using a Unixy distribution that includes Gnome, you probably have Seahorse available, a pleasant graphical frontend for managing PGP keys.

Don't put anything in an e-mail you wouldn't put on a postcard.

You have to assume your e-mail is going to be transmitted or stored in plain text eventually. Don't want someone, somewhere reading your correspondence? You probably want PGP.

Want to be sure the e-mail you recieved really came from your (boss|lover|accountant)? You probably want PGP.

The path to establishing and publishing a key is simple, and a great deal has already been written on the subject. If you're running Linux or BSD you've probably already got GnuPG installed, and there is no shortage of decent instruction on using it to generate a keypair. If you're running OS X or Windows, now you have two problems you might prefer GPGTools or Gpg4win, respectively. You'll probably also want an e-mail client that supports PGP.

Running something more exotic? You're on your own, but do come have a chat because that sounds like my kind of fun :)

In brief: Be sure to protect your private key, set a reasonable expiry date, print out a revocation certificate and stash it somewhere. Managing these three things will cut down your potential for embarassing mistakes.

Before The Party

If you don't already have one, generate a PGP key and publish it to one of the public key servers.

Print out, transcribe in blood, or otherwise render numerous copies of your key's fingerprint (along with your e-mail address, and any other sundry details you like) on smallish, portable pieces of paper. You'll need one copy for every person you want to sign your key, so over-provision.

Your fingerprint should look something like this:

AC6A 60C8 EA1E A7F4 3BD3 DB66 CDA9 7D4C 7E05 DC1E

If you're running a Debian-derived Linux distribution you might want to install the signing-party package, as this contains gpg-key2ps, a tool to generate a PostScript file with convenient paper strips containing the requisite information.

At The Party

You'll want to bring:

Find the party. You'll know you're there when you see a bunch of nerds making awkward conversation and furtively exchanging small sheets of paper.

Meet some people. Flex your social muscles. Exchange fingerprints. You might want to verify others identity by asking to see a hard-to-forge document like their driver's licence or passport. Let people know if you want your key to be published to a key server. Some people won't want their key published to a public key server, and you should (probably) respect that.

You should leave the party with a big bag full of fingerprints.

Got questions about PGP, public key infrastructure, e-mail privacy or something else? Ask around, chances are you're standing next to an expert. If you get really stuck, find me and I may be able to offer (rudimentary) help.

After The Party

Once you've returned to the safety of your lair, completed a sweep for covert listening devices and set aside an hour or so to spare, you'll want to begin the process of downloading and signing the keys of the people you met.

For all the fingerprints you obtained, run through these steps. I've assumed you're using GnuPG, but if you're using a different PGP implementation the steps will be pretty similar. Check the documentation for your implementation.

  1. Download the participant's public key

    Most keys will be available on one or more public key servers. If not, the key's owner should have told you where to find their key. Use the gpg command line tool to download the participant's public key:

    gpg --keyserver <keyserver> --recv-keys <the key's ID>

    The key server at pgp.net.nz has been a little finnicky for me lately, so you'll probably want to use another well-known public key server such as pgp.mit.edu or keys.gnupg.net. If you don't have the key's ID - it's the same as the last eight characters of the fingerprint.

  2. Verify the key's fingerprint against the one you received

    Use gpg to print the fingerprint of the key you downloaded, and compare it to the printed copy you received in person:

    gpg --fingerprint <the key's ID>

    The output from gpg will look like this (the fingerprint is highlighted in blue):

    pub   2048R/7E05DC1E 2010-03-17 [expires: 2014-03-14]
          Key fingerprint = AC6A 60C8 EA1E A7F4 3BD3  DB66 CDA9 7D4C 7E05 DC1E
    uid                  Michael Fincham <michael@finch.am>
    uid                  Michael Fincham <michael@hotplate.co.nz>
    uid                  [jpeg image of size 3660]
    uid                  [jpeg image of size 13004]
    sub   2048R/EA2138B6 2010-03-17 [expires: 2014-03-14]
                        

    If the key has attached photos (shown here in brown), you may want to view these as an additional step towards confirming the owner's identity. You can have gpg show you the attached photographs by executing gpg --list-options show-photos --list-keys <the key's ID>.

  3. Sign the key

    If the fingerprints match, use gpg to sign the public key you have downloaded:

    gpg --sign-key <the key's ID>

    You'll be asked to unlock your private key in order to complete the signing process. You may want to specify more accurately the degree of care taken in verifying the owner's identity, when asked, if you'd like to maintain a more fine grained web of trust.

  4. Return the key to its owner, upload to a key server

    Once the key has been signed, you should send a copy back to the owner by encrypted e-mail. If you installed the signing-party package earlier (and assuming the sendmail on your system can actually send mail), this is as simple as using the gpg-mailkeys script included:

    gpg-mailkeys <the key's ID>

    If not, just export the newly signed key with gpg:

    gpg -a --export <the key's ID>

    And send the output in a PGP encrypted e-mail to the key's owner using your method of choice.

    If you downloaded the key from a public key server, you should publish your freshly baked signature back to that key server. Use gpg to do this:

    gpg --keyserver <keyserver> --send-keys <the key's ID>

Congratulations, you've formed a tasty trust path. Keep going until all the fingerprints have been processed!

Further Reading

If you'd like to know more about key signing parties or GnuPG in general, CryptNET's Keysigning Party HOWTO is a very detailed resource, and the official GnuPG documentation is worth reading.

Encourage your friends and family to set up PGP and start encrypting their e-mail!