[kwlug-disc] Fw: PGP Keysigning Protocol
paul_nijjar at yahoo.ca
Fri Sep 3 10:28:00 EDT 2010
This month's KWLUG meeting is supposed to feature a key-signing party.
Bob forwarded the following guidelines for the party to me.
Do we agree with these guidelines?
Do we have a KeyMaster who will be in charge of the organizing?
----- Forwarded message from Bob Jonkman <bjonkman at sobac.com> -----
Hi Paul: Here is the text of the PGP keysigning protocol that does not
require computers or coercive-authority identification. This is what we
used at the initial meetings of the Toronto Cypherpunks, although later
meetings devolved into exhibitions of identification cards of the
afore-mentioned coercive authorities...
The PGP FAQ is at <URL:http://www.pgp.net/pgpnet/pgp-faq/>
6.7 What's a key signing party?
A key signing party is a get-together with various other users of PGP
for the purpose of meeting and signing keys. This helps to extend the
"web of trust" to a great degree.
6.8 How do I organize a key signing party?
Though the idea is simple, actually doing it is a bit complex,
you don't want to compromise other people's private keys or spread
viruses (which is a risk whenever floppies are swapped willy-nilly).
Usually, these parties involve meeting everyone at the party,
verifying their identity and getting key fingerprints from them, and
signing their key at home.
Derek Atkins <warlord at mit.edu> has recommended this method:
There are many ways to hold a key-signing session. Many viable
suggestions have been given. And, just to add more signal to this
newsgroup, I will suggest another one which seems to work very well
and also solves the N-squared problem of distributing and signing
keys. Here is the process:
1. You announce the keysigning session, and ask everyone who plans
come to send you (or some single person who _will_ be there)
public key. The RSVP also allows for a count of the number of
people for step 3.
2. You compile the public keys into a single keyring, run "pgp -kvc"
on that keyring, and save the output to a file.
3. Print out N copies of the "pgp -kvc" file onto hardcopy, and
this and the keyring on media to the meeting.
4. At the meeting, distribute the printouts, and provide a site to
retreive the keyring (an ftp site works, or you can make floppy
copies, or whatever -- it doesn't matter).
5. When you are all in the room, each person stands up, and people
vouch for this person (e.g., "Yes, this really is Derek Atkins --
I went to school with him for 6 years, and lived with him for
6. Each person securely obtains their own fingerprint, and after
being vouched for, they then read out their fingerprint out loud
so everyone can verify it on the printout they have.
7. After everyone finishes this protocol, they can go home, obtain
the keyring, run "pgp -kvc" on it themselves, and re-verify the
bits, and sign the keys at their own leisure.
8. To save load on the keyservers, you can optionally send all
signatures to the original person, who can coalate them again
a single keyring and propagate that single keyring to the
keyservers and to each individual.
Last updated: 05 Nov 1997.
Copyright (C) 1996 by Arnoud Engelfriet. Comments, additions and
Bob Jonkman <bjonkman at sobac.com> http://sobac.com/sobac/
SOBAC Microcomputer Services Voice: +1-519-669-0388
6 James Street, Elmira ON Canada N3B 1L5 Cel: +1-519-635-9413
Software --- Office & Business Automation --- Consulting
----- End forwarded message -----
More information about the kwlug-disc