a r t i c l e s   >    p g p   k e y   s i g n i n g   p a r t y

what the...?

A key signing party is a gathering where you can exchange your PGP or GPG public keys with others. Identities can be verified with a driver's licence or passport. After this, you can now exchange signed or encrypted emails with them, and be reasonably assured that your email from Tim O'Reilly is indeed from Tim O'Reilly.

We encourage you to then sign their keys, and upload them to a public PGP key server, such as the one at MIT. In this way we can begin to establish a decentralized web of trust for the PGP keys of others.

Our next party is going to take place at the 2003 Oreilly ETCON. We'd be nuts to pass up an opportunity to exchange keys with folks from the EFF ;)

how do i get in on this?

The steps for hosting a PGP party are well documented. A brief overview is below:

  1. set up a PGP key, and upload it to a public keyserver.
  2. then email us your key info. You can look here for the names and PGP ids of those who have signed up thus far.
  3. come to one of the PGP BOFs at ETCON. Bring along a printout of the email you sent, and a pen. No computers, please.
  4. at the party, everybody will recieve a printout with everybody's name, email address, and PGP fingerprint.
  5. we get in a circle, and in order, we will each read off our 40 character PGP fingerprint, to verify that the printout is accurate.
  6. if the fingerprint read aloud matches the one on the printout, make one checkmark by the name.
  7. we will then all pull out our identification cards, and face outward.
  8. one at a time, we will each walk around the circle, checking the names and faces on the cards.
  9. if the ID matches the person, make a second checkmark by their name.

That's it! If the person has 2 checkmarks, then you've matched a PGP key to a person. See below for how to sign the keys to start building a web-of-trust.

who is going to be there?

We are constantly compiling the printout containing all attendee info, that we will hand out at the party. The email addresses are modified to reduce spam. Of course, the only way to totally eliminate spam is TMDA... but I digress.

Printouts of this form will be available for attendees. Latecomers can sign keys, but probably wont be able to have their keys signed.

uhhh... i dont have a pgp key yet...

No problem... you should then download and install Gnu Privacy Guard (GPG), and follow the HOWTO docs to make your first key.

You should then submit your key to a public PGP key server so that it can be accessed by others.

You can then integrate PGP into your favorite email client, such as Mozilla, Mutt, or Outlook. You can also use this engine to search for additional email client plugins.

how do i sign a key?

Using a command-line tool such as GPG, you can execute these four commands for EACH KEY you wish to sign:

  gpg --keyserver pgp.mit.edu --recv-keys KeyId
  gpg --fingerprint KeyId
  gpg --sign-key KeyId
  gpg --keyserver pgp.mit.edu --send-key KeyId

As you can see, some people would just prefer to run our Python Script instead. All the key info is at the top for easy inspection.

Remember - it is completely up to you whether or not you trust somebody enough to sign their key. And be sure to check the script for accuracy! We are ALL guilty of the occasional typo.

how do i know i can trust you???

You can't. In fact, I strongly encorage you not to. In fact, let me confess that we are precisely the kind of people who would relish impersonating others, stealing their identities, and running up huge credit card bills with shipments of random informercial brik-a-brak to their homes.

That's why we desperately need a web of trust built with PGP public keys! You pick who you trust in a face-to-face manner, and then start building distributed trust relationships online. You wont need Microsoft Passport, or other similar single-point-of-failure systems to validate the identity of others. You'll have the legions of PGP Party People at your back!

The very paranoid should sign keys manually with the information that they gather at the party. This can be tedious, however. The slightly less paranoid will download our Python script, inspect it for naughtyness, and run it.