How to hold a keysigning meeting: Step by step instructions
(Taken from alt.security.pgp)
(For smaller groups you might prefer this method)
Before the meeting
- Each participant e-mails a
pgp -kxa
of her/his own public key to a
person who is the designated Key Repository (KR) for the meeting.
- KR forwards each key he/she receives to all the other participants,
so that everyone will have all pertinent keys.
- KR adds each received public key (including her/his own) to a special
keyring (specring.pgp) using
pgp -ka
<keyfilename> specring.pgp
,
once all the public keys for the meeting have been gathered.
During the meeting
- The participants gather, and KR distributes photocopies of the
printout of a
pgp -kvc specring.pgp
, so that everyone has a list of
relevant key fingerprints.
- Each participant in turn reads aloud his/her own public key's
fingerprint, based not on the printout, but on her/his private
pgp -kvc
of his/her own public key. Everyone else compares the
fingerprint that was read aloud with the fingerprint that is
supposed to correspond to it on the printout.
- Each participant in turn provides positive photo ID. Everyone else
who accepts that ID marks that person's verified fingerprint on the
printout, to indicate that the public key in question is signable.
After the meeting
- Participants wishing to verify not only the identities of other
participants but also the validity of the e-mail addresses appearing
in the user-ID field of the public key to be signed may take the
additional step of exchanging, via the e-mail addresses on the public
keys, secret passwords exchanged in person at the keysigning meeting.
- Privately, each participant signs those keys for which acceptable ID
was provided, extracts each newly signed key using
pgp -kxa
, and
e-mails the extracted, newly-signed key to its owner.
- Each participant who receives a newly signed copy of her/his own
public key should add that key to his/her own public keyring using
pgp -ka
. When all expected signatures have been added, the
participant should (re)submit her/his public key to a keyserver, so
that the new signatures can be widely distributed.
- KR should delete specring.pgp, which is no longer necessary.
Also, for smaller groups, webules, or privemes, you may want simply to
exchange to slips of information suggested by Martien Remijn, containing
your key's data.
Cut the following passage, insert the fingerprint of your own public key,
and print it. Sign the printouts by hand, and give them to your friends. - Peter.
I no longer have Martien's version of this, but here's my mock-up:
Please sign my PGP public key
This piece of paper will allow you to assess the validity of my PGP
public key. Verify who I am by asking me for my identification.
Now, this paper will link me to the public key which can be obtained
from the various pgp public key servers. Once you have the public key in
your possession, you can verify whether the result of the fingerprint
command (pgp -kvc) is the same as the fingerprint printed below. If it is,
then you can be sure you have my key.
Type bits/keyID Date User ID
pub 1024/3CE27349 1994/05/27 David C. Byron
Key fingerprint = A4 57 4D 7F F9 87 EC E4 D9 15 C3 D8 6A 9F 60 0B
If you are sure that I am the person whose key is on the public key
servers, you might consider signing that key. Don't worry about any
disagreeable things I might do. Singing a key only means that you are sure
that a specific person with a specific name [me] claims to be the owner of a
specific Email address and a specific public/secret key pair. Signing doesn't
mean that you think I'm a nice person! After you sign my key, please encrypt
it with my public key and send it to my Email address.
Would you like me to sign your PGP public key?
If you identify yourself and give me your key ID and key fingerprint, I
will probably sign your key and send it to you.
If you don't have a PGP public key...
...but are interested in using one, I could help you begin using PGP by signing
one key (1024 bits) that you generate in the upcoming 2 weeks. If you wish to
do this, I advise you to read the two PGP-documents and the PGP-faq first.
You may Email me for information about where to find PGP, the PGP-documents,
the PGP-faq, or tools to use PGP with your favorite operating system.
If you identify yourself now, you can include the unique random string at the
bottom of this paper when you send me your newly created key later. I will
write down this random string with your name, Email address, and the date I
gave you this paper. If I receive your 1024-bit, self-signed public key with
the correct random string, name, and Email address encrypted with my public key
within 14 days, I will probably sign your new key and mail it back to you. If
any of the pertinent information fails to match, then I will not sign the key!
Keep the random string secret until you have received your signed key from me.
It's in your own interest.
------------------------------------------------------------------------------
RANDOM STRING:
------------------------------------------------------------------------------
Your Name: ID verified?:________
Random String: Date:
PGP main page
My Homepage
UNIX-AG Homepage
Impressum