What is a key-signing event?

A key-signing event is a get together with GnuPG/PGP users for the purpose of meeting other GnuPG/PGP users and signing each other's keys. This extends the Web of Trust that GnuPG/PGP relies upon. At the OSHCA2007 conference there will be an official key-signing event for all who send their info in advance. If you show up at OSHCA2007 with your key information and ID, but did not send in the information beforehand, we will have a separate, one on one, key verification session. Anyone and everyone is invited.

We sign keys because GnuPG/PGP is based upon a Web of Trust. This web of trust is what ensures that no one can pretend to be you and that you can really believe that a message you receive from Dr. Jones is really from Dr. Jones. The more deep and tightly inter-linked the web of trust is, the more difficult it is to defeat.

What do I need to bring?

1. You (physical attendance is absolutely required)

2. One or more forms of PHOTO identification, I recommend two: Passport, Drivers License, School ID, Library Card, etc.

3. Your key ID, Type, fingerprint and size

4. A pen or pencil

5. NO COMPUTERS at the event please.

What do I do BEFORE the party?

Email a copy of your public key to tw_cook@comcast.net If you do not have a gpg key or do not yet have it installed, more information is below. The commands you should use look something like this:

gpg --fingerprint tw_cook@comcast.net

pub   1024D/561FB082 2007-03-14
      Key fingerprint = DD80 32EA F013 226C 32E5  80FA 4EC7 6BDB 561F B082
uid Timothy W. Cook (Health Informatics Consultant, Jacksonville, FL USA) <tw_cook@comcast.net>
sub   2048g/8A0F882D 2007-03-14

Make a note of your key ID, it is the part following "pub 1024D/". The 1024D is the key Size and Type, the part after the slash is the key ID and the fingerprint should be obvious.

$ gpg --fingerprint [KEYID] > pubkey.txt
$ gpg --armor --export [KEYID] >> pubkey.txt

The command that I used is below. My Key ID is 561FB082. You may also use the email address you entered during key creation to find out your key ID. By the way, the key ID is not case sensitive.

$ gpg --fingerprint 561FB082 > pubkey.txt
$ gpg --armor --export 561FB082 >> pubkey.txt

Copy/paste the contents of that file into an email. Please do not send it as an attachment. You may view mine here .

You should upload a copy of your public key to the keyserver at: http://subkeys.pgp.net/

Print out a copy of the --fingerprint output. You must bring this to the OSHCA key signing event.

What do I do DURING the party?

A worksheet for everyone at the party will be prepared. It will list the fingerprints of every key I received in time for the party.

Phase one: Consists of key identification. In the order on the sheet each of us will stand and read our own fingerprint from the copy we brought. Reading the fingerprint consists of reading your key size, type, ID and fingerprint. There will be checkboxes down the side of the worksheet you were given, two next to each fingerprint. The first box is checked off as each person reads their key and it matches the worksheet.

Phase two: we will form a big conga line. The first person will turn around and walk down the line examining identification and checking the second box on the paper if it matches to their satisfaction. The amount of evidence required to "Positively ID" an individual is a personal choice. Whatever it takes to convince you that the person you see really is the person identified by that key is sufficient. A passport and drivers license is often touted as a good combination but you have to make up your own mind. Remember that when you sign a key, you are telling the world that you believe and trust that the key belongs to that person. You are not saying that you trust that person for any other reason.

What do I do AFTER the party?

After the party you will receive a rather large email containing the keyring from the party. This is the really time consuming part that will test your mettle. You must sign every key on the sheet. Using a GUI front end of your choice will make this much easier than the command line approach.

You will compare the fingerprint of the key against the printout you checked off. It is very important that you compare the two. If it all checks out, answer "Yes" and you will be prompted for your passphrase. When using a GUI will likely only have to enter your passphrase one time per session. Once you enter it, you are certifying to the world that the key really belongs to the person you met at the party. Note: this is the secret passphrase for YOUR key.

Once you have completed doing that to each of the keys on the ring, mail a copy back to tw_cook@comcast.net. He will compile all the signatures and send the final ring with all signatures to all participants. When you receive the final set of keys, all you need to do is import them. At your option you may (you should) upload your signed key to the keyserver. Please note that it is considered poor form to upload someone else's key to a keyserver without their permission.

I don't have GPG installed / I don't have a GPG Key!

You should use the instructions on the GnuPG site. If this is your first time using GnuPG, you are STRONGLY urged to read the documentation at GnuPG.org. Also, consider setting an expiration date on your first key of a few years. That way any potential mistakes that you make while learning will eventually go away when the key expires.