PGP Keysigning

From Geohashing

Geohashing is a great opportunity to expand your PGP web of trust. Take advantage of this unique opportunity to interact with other nerd-like creatures in meat space by forming an impromptu keysigning party.

The idea of a keysigning party is to get other people to verify your identity so they can digitally sign your PGP public key. This expands your web of trust, because now anyone who trusts the signer can also trust that your key really belongs to you. More info at [1] and much more info at [2].

To get signatures while geohashing, you need to bring the following items:

  • Reliable photo identification: A passport is probably the ultimate form of ID, but any other government issued photo id (drivers license, for instance) should also be suitable.
  • additional identification: Just for added verification, some additional ID, like a credit card with your name on it, a student ID, etc., is a good idea.
  • PGP Key information: People will need this in order to actually get your key later so they can sign it. It should include your full name, your key-id, and the full fingerprint of your key. So basically, gpg --fingerprint <MYKEYID> should work pretty well. Print (or write) a handful of copies so each signer can take one home. It shouldn't take up that much space on the paper, so print as many copies as you can on one sheet of paper, then cut into strips.
  • Contact information: So you can collect the signatures once they are made, include either an email address that they can be sent to, or indicate a public keyserver (such as http://keys.gnupg.net/) that signature should be uploaded to.
  • Verifiable signature: As an added security measure, write out today's date and the hash coordinates, then sign it (ASCII guarded) with your private key. Include this with the key information so signers can verify that you have the correct private key.
    • Sticking with the geohashing formula of just the date and DJIA is probably ok, too. Basically, you want something that wasn't known until that day and is easily confirmed by a hasher. The days coordinates are actually probably easier to confirm than the DJIA.
    • To make this easier, plan to give this signature to the signer electronically. If you can't do it in person (for instance, on a flash drive), then give them the paper copy and agree on how you can provide it to them later (email, for instance, or perhaps on your geohashing userpage). This way, they can use the electronic copy to actually verify the signature, and then just do an eyeball check against the printer copy to confirm the signature you sent is the same as the one you gave them.

Before the meetup

When arranging meetups, it's a good idea to indicate that you will be bringing your key information and are willing to sign others' keys.

You can use the PGP Userbox to mark yourself as a PGP user, and find other users in the PGP key owners category.

At the meetup

At the meetup, find out who has keys they want to be signed. Collect that person's key information, as described above. Before signing, you must verify the person's identity, and make sure it matches the identity described in the key. Check their reliable photo ID and any additional ID they can provide, make sure the photos match the person you're looking at, make sure they all use the same name and birthday, etc. Then make sure this is the same name as is listed in the key (which you won't know for sure until you actually go home and download the key).

Once you're confident that they are who they claim to be, make a mark on your copy of their information to remind yourself later that you verified their identity (and then keep that copy securely in your possession). Make sure you both agree on how you will get their public key (email, keyserver, or perhaps they brought you a cheap flash drive that has it), and how you will provide the signature (for instance, by email, or uploading to a keyserver). Also give them an estimate of when you will be to actually provide the signature (hopefully no more than a few days).

Of course, don't forget to distribute your information in the same way to anyone who agrees to sign your key.

Note that it is generally recommended not to view the key or perform any signature at the actual meetup, even if you have access to the necessary equipment (computer and Internet, for instance). It basically just provides an unlikely but possible way for the integrity of the verification and signature process to be compromised.

After the meetup

After the meetup, get your copy of the public key, and verify that the entire fingerprint matches, and that the user id matches the name that they provided and that you verified in person. If they gave you a verifiable signature, enter it (carefully) into a file and verify that the signature is correct, and that the information they signed is correct for that day's hash (proving it was made recently). If everything checks out, sign their key, export your signature, and either email it back to them, or publish it to a keyserver, depending on what was agreed upon.