Skip to content

public key signing ceremony

Keywords: Key public-private OpenPGP signing
Abstract: A lot of us have key pair(s) to use when encrypting e-mail to others.  This makes the conversation private, ie out of reach of  men-in-the-middle.  The THF camp is a perfect opportunity for a group to have a real and  live exchange of keys. Being face to face is perhaps one of the  strongest ways to validate a key. And having it at an event, ie where a  group of people can perform the exchange together, speeds up the  building of a particular web of trust. 
Metodology: Those wishing to participate are asked to email their public key to a  particular e-mail address by a particular time, eg 23:59 on Wednesday 6  August.  The signing get-together will take place the next day, eg 14:00 on  Thursday 7 August.  The lead organiser, ie me for this party has put all the public keys  into a file and will offer it for download from a file serving device.  Once downloaded, turn off all network connections.  Compute the SHA-256 sum: gpg –print-md sha256 thfc-keysigning.txt.  Make sure it starts with the letter ‘XYZ’.  Wait for everybody to be ready.  We confirm the document SHA-256 sum together.  Search for your own fingerprint and your own user id and verify that  they are indeed what they should be.  We will commence with confirm the user id and fingerprint information,  starting at the top of the file. Each participant physically present  will in turn stand up and state: Their name That they have verified their fingerprint That they have verified their user id Then other people in the room who know this person confirm the person is  who s/he says s/he is.  If you trust what you hear, put an ‘x’ in the corresponding checkboxes  in your file.  At the end, sign the resulting document with your own key for later  verification: gpg –clearsign thfc-keysigning.txt.  When at home again take your time to sign the keys after verifying that  this document has not been tampered with, ideally using caff. 
  Language   english