OpenPGP Key Signing Parties

After posing Monkeysphere: Easing key management and improving HTTPS security I received some constructive feedback from an acquaintance. The message was clear enough; I need to make an effort in getting more signatures for my key so that it is possible to validate it based on the Web of Trust.

 

There are several ways to get the key better connected, but a popular method is to set up, or simply participating in, key signing parties (KSP). The Keysigning Party HOWTO is a good read, so I won't go into the descriptives too much, except to say that I'm a fan of the List Based Method Party described in the howto. This require a bit more organization ahead of the key signing party, but overall the experience should be a smoother one. The basic idea with this approach is that you have one, or several, organizers that collects the public keys of the participants ahead of time and prepare a list of keys for the participants. Normally there will be a set of requirements for these keys e.g. that they are available on public keyservers such as the sks-keyservers.net pools.

Those wanting to participate then send a copy of the key itself or the keyid or fingerprint for such a key so that it can be retrieved from the keyservers. From an organizer perspective the steps are then to start building up a database of participants, e.g. in a GnuPG keyring, which is what I'll use.

 

Step 1: Create a directory for information about the key signing party

mkdir -p $HOME/Tmp/KeySigningPartyRing

Step 2: For each of the participants, download the keys into a gpg keyring in this home dir

I'm starting with my own keys

gpg2 --homedir $HOME/Tmp/KeySigningPartyRing --keyserver eu.pool.sks-keyservers.net --recv-key 0x0B7F8B60E3EDFAE3

gpg2 --homedir $HOME/Tmp/KeySigningPartyRing --keyserver eu.pool.sks-keyservers.net --recv-key 0x43FE956C542CA00B

These keys are then stored in pubring.gpg in the homedir specified.

 

Step 3: Creating the participant list

To create a list of participants based on the information found in the keyring I personally use a PHP Script that is available at https://bitbucket.org/kristianf/keysigningpartylist

This script take the homedir as an argument, so I run it as

php -f /path/to/keysigningPartyList.php $HOME/Tmp/KeySigningPartyRing

The script can be configured by a file called ksp_conf in the same homedir,  I set the variables as

title: My KSP
date: 2013-12-31

Step 4: Digitally sign the participant list

In order to ensure that the list has not been modified after it is uploaded to a http/ftp location that the participants have access to I then sign the two files generated from the script, which unless otherwise configured in ksp_conf is key_party_list.html and fpr.txt I also sign these files using gpg. To do this, while having the homedir as my working directory,  I run

for f in key_party_list.html fpr.txt; do gpg2 --armor --detach-sign $f; done

 

Step 5: Upload the participant list

I can then upload the participant list, the fingerprint list (this is a convenience file, more on that later) and the relevant digital signatures.

for f in key_party_list.html* fpr.txt*; do scp "$f" "server:/path/to/openpgp_key_signing_party_example/"; done

The result can be seen at http://dev.kfwebs.net/openpgp_key_signing_party_example/ . Each participant will then print the participant list, or the organizer print them and bring along to the key signing party.

Step 6: Holding the KSP

During the KSP each participant then bring a copy of their own fingerprint and key data that can be used to match against the list and verify the ID documents to make sure they match the UID.

 

Step 7: Signing the keys and uploading this for others to see

After the KSP is done, and all keys have been verified, it is time to sign the other's keys. This is where the convenience-file fpr.txt comes in, as this can readily be passed on to tools such as caff and monkeysign or it can just be used to retrieve all the keys from a keyserver.