Keysigning 2016-02-21

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search

Keysigning party? Keysigning party!

Direct all questions to echarlie at

The purpose of this keysigning party is to bring bring together people who are interested in cryptography and/or digital privacy with the goal of strengthening the web of trust.

VTLUUG hosts these from time to time to promote cryptography standards such as PGP, to raise awareness of cryptography, and to allow members to authenticate each other for distribution of semi-sensitive information.

Some samples on running keysigning parties:

Event on biglumber:

We could add an event keyring, or perhaps a long-time even with keyring, to simplify identification of members with keys, and to ease the process of fetching all of the keys, however that takes a critical mass of interest in the event.



Verify identities for signing PGP keys, with food and door prizes.

  • Invite your friends
  • Upload keys to VT keyserver
  • Signing GPG keys (Maybe CACerts too, depending on demand)

What you need to do in order to attend

  • Have a GPG key (if you don't have one, we can help you at a meeting Thursday at 8:30 in TORG 1040 or via IRC on #vtluug )
    • Upload it to the VT keyserver
  • Sign up for the event here
  • Bring 2 forms of IDs (Driver's license + Hokie ID will do, for example) and your Key Fingerprint (to reduce errors in transcribing)
  • >> Read the instructions <<
    • These instructions are dated, and thus are not correct. They *do* provide a good guideline, however, of how this will run.

OpenPGP is a cryptographic standard that allows for secure, confidential, non-reputable, and verifiable communication over an otherwise untrusted medium such as email. This only works, however, if you have some method of verifying that the other party is indeed who they claim to be. This problem is solved through keysigning: you are verifying first-hand that the other party's identity and key match, as well as declaring this to anyone who trusts you. These interconnected chains of verification form a web of trust and allow secure communication between previously unacquainted or unverified communicators.

If you do not already have an OpenPGP key, please acquire a client and generate one. For the Linux and BSD operating systems, we recommend GnuPG version 2.0 or later or one of its frontends such as GPA or Seahorse. For Windows we suggest Gpg4Win. For OSX we suggest GPG Tools. Both OSX and Windows can run the official GnuPG client, if you are okay with working from the command line. Follow the associated documentation to generate a keypair, or refer to the ArchWiki Page on GnuPG.

If you wish to attend, please bring two forms of valid identification as well as paper copies of your key fingerprint.

The Procedure

This is merely a summary: Please refer to other sources, and the GnuPG documentation for a better understanding of what each piece entails.

  1. Generate a keypair and upload it to the VT Keyserver
  2. Bring your ID; bring multiple printouts of your key fingerprint (think 30 to 50)
  3. Everyone will sign in at the party
  4. When most of the participants have arrived, we will form a line, and everyone will rotate down the line, meet everyone else, and verify their ID against their name.
  5. When the party ends, you go to a secure place, download keys for other users, sign them, and sync them against the server