I’m organizing a PGP keysigning party at this year’s BarCamp Rochester. For those of you who are unfamiliar with PGP, it’s a system for sending encrypted messages. More information can be found in this guide. The purpose of a keysigning party is to integrate yourself into and expand PGP’s web of trust, which prevents participants from being tricked into addressing their messages to a clever eavesdropper rather than to their indended recipient.
BarCamp will take place on April 18th, on the third floor of the GCCIS building (#70) on RIT campus. The keysigning party will happen at 2:00 PM. If you’re interested in attending, you’ll need to do a little bit of preparation:
Before the Party
- Send me an email to let me know you’ll be there. This isn’t absolutely necessary, but I’d like to get a rough estimate of how big the party will be. You’re also encouraged (though not strictly required) to sign up for BarCamp and give some kind of presentation.
- If you don’t have one already, create a PGP keypair.
- Print out slips of paper with your key’s fingerprint, along with your name and the email address associated with the key. You should be able to fit several of these onto a single sheet of paper (18 if you lay them out like so). As of this writing I don’t know what the turnout will be like, but I’m guessing one sheet will be enough.
- Bring a pen and the slips of paper with you to the party. Also bring identification, preferably two forms, at least one of which is a photo ID and one of which is government-issued. Driver’s license, passport, etc. Don’t bring a computer (or if you do, leave it powered off), you won’t need it.
During the Party
The party will be run in a simple ad-hoc format. You and each other participant will:
- Trade key fingerprints. You give them one of your slips of paper, and they give you one of theirs.
- Check identification. Make sure that the photo on the ID matches the person, and that the name on the ID matches the name on their slip of paper.
- If their ID checks out, and you’re comfortable asserting to the world that this person is who they say they are, write your initials on the slip of paper that they gave you.
Once you’ve traded fingerprints with everyone, the formal part of the party is over. If there’s time left, we can have an informal discussion (perhaps about promoting PGP use in Rochester?), or you can just head out.
After the Party
Once you get home, you’ll need to actually sign the keys of the party-goers. For each slip of paper that you initialled:
- Acquire the corresponding key from the public key servers. You can search by name, email address, or fingerprint.
- Verify that the name, email address, and fingerprint of the key you’ve downloaded matches the name, email address, and fingerprint on the slip of paper you were given.
- Using your PGP program, sign the key.
- Export the signed key and send it in an encrypted email to the address listed on the key. Don’t upload it back to the public key servers. This ensures that the email address really does belong to the person who possesses the key.
When you receive signatures from others, import them into your keyring and update your key on the public key servers.
That’s pretty much it. If you have any questions, either email me or leave a comment here.