ESCC / Internet2 Joint Techs Workshop - PGP Key Signing
Lincoln, Nebraska
Tuesday Jul 22, 2008

PGP Key Signing

A PGP key signing party will be held at the Joint Techs Workshop on Tuesday July 22, ~7:15 PM during the evening reception.

A Biglumber page for the event has been set up to manage collecting public keys, etc.

The event is being coordinated by Doug Pearson. Questions or comments can be so directed.

Before 4:30 PM day of the event:

You must complete the following three steps before 4:30 PM day of the event, otherwise your key fingerprint won't be included in the printed list required for the signing party.

1. If you don't already have PGP and wish to participate, acquire and set up PGP:
   • GnuPG (free PGP software for Windows, Mac, UNIX, etc
   • PGP Corporation (commercial PGP software for Windows, Mac, UNIX, etc)


2. Extract your PGP Public Key. Refer to your PGP software's documentation for details; you are looking for a public (not private!) key extracted in "ASCII-armoured" format.


3. Add your Public Key to the event keyring. Do this by pasting the ASCII representation of the public key into the keyring form (the data entry box is at the bottom of the page - below the list of other keys that have already been uploaded).

Attending the Key-Signing Party

1. You should bring:
   • Sufficient photo-id to convince others that you are who you claim to be (e.g. drivers licence, passport).
   • A printed copy of your PGP public key fingerprint, from a known-trusted copy of your key, or other trusted means to be able to recite your public key fingerprint.
   • A pen.


2. Pick up a copy of the keyring printout from the pile. Locate your own key on the printout.


3. In turn, each of those attending the party introduce themselves by name, and indicate which key (or keys) on the keyring printout is theirs. They then read out their key fingerprint from their own trusted copy, and everybody verifies that this agrees with the fingerprint listed on the keyring printout. Make a notation on your copy of the printout for each "fingerprint verified" in this step.


4. Once everybody has had a chance to read out their key fingerprints, people then proceed to introduce themselves to people they don't already know, and allow their identities to be verified (e.g. against photo id). Make a final notation on your keyring printout for each "identity verified".

The Day After

At some point after the key signing party, using your keyring printout as a guide, you should sign the keys whose authenticity you were able to check. This strengthens the web of trust, and makes PGP more useful.

1. Retrieve the JointTechsWinter2008 Keyring and import it into your own keyring.


2. Check the fingerprints of the downloaded keys of those individuals who your were able to get "fingerprint verified" AND "identity verified" (on your keyring printout).


3. If the fingerprints match, sign the key. If the fingerprints don't match, or if you don't have fingerprint and identity verified for a key downloaded on the keyring - delete that key!


4. E-mail a copy of the signed key back to the key's owner (and optionally, send the key with its new signature to a key server).