Keysigning Party Guide
Compiled from the PGP-Users Mailing List with many thanks to Bill Kemper, Ian Goodyer, Peter N. Wan, and Patrick Feisthammel.
- Physical attendance.
- Positive picture ID.
- Your key ID, key type, fingerprint, and key size. (Key size and fingerprint together are important since it is possible for two RSA keys of different sizes to have the same fingerprint.)
Having a computer would be a hindrance
- If people are swapping disks with their keys on them the computer owner has to worry about viruses.
- If people are carrying their secret keys with them and intend to do the signing at the actual meeting by typing their passphrase into a computer, then they are open to key-logging attacks.
- It is much better to just exchange key details and verify ID and then do the signing when you get home to your own trusted computer.
Conduct of the keysigning party
- Find a suitable meeting place and time that is convenient for most people. The location does not require a computer, but should be fairly spacious and allow open conversation.
- All attendees send their public keys to the host who will compile everyone’s key onto two keyrings, one for RSA and another for DH/DSS.
- The host prints a list with everyone’s key ID, key type, fingerprint, and key size from the compiled keyrings and distributes copies of the printout at the meeting. This is not possible using the Windows 95 version of PGP so the host will have to compile this list by hand.
- Attend the party. Bring along a paper copy of your key ID, key type, fingerprint, and key size that you obtained from your own keyring. You must also bring along a suitable photo ID. Instruct the attendees at the beginning that they are to make two marks on the listing, one for correct key information (key ID, key type, fingerprint, and key size) and one if the ID check is ok.
- At the meeting each keyowner reads his key ID, key type, fingerprint, key size, and user ID from his own printout, not from the distributed listing. This is because there could be an error, intended or not, on the listing. This is also the time to tell which ID’s to sign or not. If the key information matches your printout then place a checkmark by the key.
- After everyone has read his key ID information, have all attendees form a line.
- The first person walks down the line having every person check his ID.
- The second person follows immediately behind the first person and so on.
- If you are satisfied that the person is who they say they are, and that the key on the printout is theirs, you place another checkmark next to their key on your printout.
- Once the first person cycles back around to the front of the line he has checked all the other IDs and his ID has been checked by all others.
- After everybody has identified himself or herself the formal part of the meeting is over. You are free to leave or to stay and discuss matters of PGP and privacy (or anything else) with fellow PGP users. If everyone is punctual the formal part of the evening should take less than less than an hour.
- The host will provide a copy of each of the party’s public keyrings, preferably by email or via webpage. After confirming that the key information on the keyring matches the printout that you have checked, sign the appropriate keys. Keys can only be signed if they have two checkmarks.
- Send the signed keys to the keyservers.
- Another option could be to send the signed keys to the host who would collate them into a master signed ring for posting to a web page or delivery via email.