[kwlug-disc] Fw: PGP Keysigning Protocol

[Paul Nijjar]

This month's KWLUG meeting is supposed to feature a key-signing party.

Bob forwarded the following guidelines for the party to me. 

Do we agree with these guidelines? 

Do we have a KeyMaster who will be in charge of the organizing?

- Paul

----- Forwarded message from Bob Jonkman <bjonkman at sobac.com> -----

Hi Paul:  Here is the text of the PGP keysigning protocol that does not
require computers or coercive-authority identification.  This is what we
used at the initial meetings of the Toronto Cypherpunks, although later
meetings devolved into exhibitions of identification cards of the
afore-mentioned coercive authorities...

--Bob.

=====

The PGP FAQ is at <URL:http://www.pgp.net/pgpnet/pgp-faq/>

 6.7 What's a key signing party?

   A key signing party is a get-together with various other users of PGP
   for the purpose of meeting and signing keys. This helps to extend the
   "web of trust" to a great degree.

  6.8 How do I organize a key signing party?

   Though the idea is simple, actually doing it is a bit complex,
because
   you don't want to compromise other people's private keys or spread
   viruses (which is a risk whenever floppies are swapped willy-nilly).
   Usually, these parties involve meeting everyone at the party,
   verifying their identity and getting key fingerprints from them, and
   signing their key at home.

   Derek Atkins <warlord at mit.edu> has recommended this method:

   There are many ways to hold a key-signing session. Many viable
   suggestions have been given. And, just to add more signal to this
   newsgroup, I will suggest another one which seems to work very well
   and also solves the N-squared problem of distributing and signing
   keys. Here is the process:
    1. You announce the keysigning session, and ask everyone who plans
to
       come to send you (or some single person who _will_ be there)
their
       public key. The RSVP also allows for a count of the number of
       people for step 3.
    2. You compile the public keys into a single keyring, run "pgp -kvc"
       on that keyring, and save the output to a file.
    3. Print out N copies of the "pgp -kvc" file onto hardcopy, and
bring
       this and the keyring on media to the meeting.
    4. At the meeting, distribute the printouts, and provide a site to
       retreive the keyring (an ftp site works, or you can make floppy
       copies, or whatever -- it doesn't matter).
    5. When you are all in the room, each person stands up, and people
       vouch for this person (e.g., "Yes, this really is Derek Atkins --
       I went to school with him for 6 years, and lived with him for
2").
    6. Each person securely obtains their own fingerprint, and after
       being vouched for, they then read out their fingerprint out loud
       so everyone can verify it on the printout they have.
    7. After everyone finishes this protocol, they can go home, obtain
       the keyring, run "pgp -kvc" on it themselves, and re-verify the
       bits, and sign the keys at their own leisure.
    8. To save load on the keyservers, you can optionally send all
       signatures to the original person, who can coalate them again
into
       a single keyring and propagate that single keyring to the
       keyservers and to each individual.

     _________________________________________________________________

   Last updated: 05 Nov 1997.
   Copyright (C) 1996 by Arnoud Engelfriet. Comments, additions and



-- 

Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
SOBAC Microcomputer Services              Voice: +1-519-669-0388
6 James Street, Elmira ON  Canada  N3B 1L5  Cel: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting



----- End forwarded message -----

-- 
http://pnijjar.freeshell.org