a r t i c l e s  > p g p k e y s i g n i n g p a r t y
A key signing party is a gathering where you can exchange your PGP or GPG public keys with others. Identities can be verified with a driver's licence or passport. After this, you can now exchange signed or encrypted emails with them, and be reasonably assured that your email from Tim O'Reilly is indeed from Tim O'Reilly.
We encourage you to then sign their keys, and upload them to a public PGP key server, such as the one at MIT. In this way we can begin to establish a decentralized web of trust for the PGP keys of others.
Our next party is going to take place at the 2003 Oreilly ETCON. We'd be nuts to pass up an opportunity to exchange keys with folks from the EFF ;)
how do i get in on this?
The steps for hosting a PGP party are well documented. A brief overview is below:
That's it! If the person has 2 checkmarks, then you've matched a PGP key to a person. See below for how to sign the keys to start building a web-of-trust.
who is going to be there?
We are constantly compiling the printout containing all attendee info, that we will hand out at the party. The email addresses are modified to reduce spam. Of course, the only way to totally eliminate spam is TMDA... but I digress.
Printouts of this form will be available for attendees. Latecomers can sign keys, but probably wont be able to have their keys signed.
uhhh... i dont have a pgp key yet...
You should then submit your key to a public PGP key server so that it can be accessed by others.
how do i sign a key?
Using a command-line tool such as GPG, you can execute these four commands for EACH KEY you wish to sign:
gpg --keyserver pgp.mit.edu --recv-keys KeyId gpg --fingerprint KeyId gpg --sign-key KeyId gpg --keyserver pgp.mit.edu --send-key KeyId
As you can see, some people would just prefer to run our Python Script instead. All the key info is at the top for easy inspection.
Remember - it is completely up to you whether or not you trust somebody enough to sign their key. And be sure to check the script for accuracy! We are ALL guilty of the occasional typo.
how do i know i can trust you???
You can't. In fact, I strongly encorage you not to. In fact, let me confess that we are precisely the kind of people who would relish impersonating others, stealing their identities, and running up huge credit card bills with shipments of random informercial brik-a-brak to their homes.
That's why we desperately need a web of trust built with PGP public keys! You pick who you trust in a face-to-face manner, and then start building distributed trust relationships online. You wont need Microsoft Passport, or other similar single-point-of-failure systems to validate the identity of others. You'll have the legions of PGP Party People at your back!
The very paranoid should sign keys manually with the information that they gather at the party. This can be tedious, however. The slightly less paranoid will download our Python script, inspect it for naughtyness, and run it.