If you know of a translation or would like to translate it to another language please let me know so that I can distribute or link to the translated versions.

Chapter 2. Overview of A Keysigning Party

What is a Keysigning Party? A key signing party is a get-together of people who use the PGP encryption system with the purpose of allowing those people to sign each others keys. Key signing parties serve to extend the web of trust to a great degree. Key signing parties also serve as great opportunities to discuss the political and social issues surrounding strong cryptography, individual liberties, individual sovereignty, and even implementing encryption technologies or perhaps future work on free encryption software.

What is Keysigning? Key signing is act of digitally signing a public key packet and a user id packet that is attached to the key in that public key packet. Key signing is done to verify that a given user id and public key really do belong to the entity that appears to own the key. In more basic terms it is done to verify that the representation of identity in the user id packet is valid. Usually, this means that the name on the PGP key matches the name on the identification the person is presenting to you when asking that you sign their key. The term "public key" has two meanings in PGP terminology. It can refer both to the actual public encryption key of a key pair or it can refer to the public encryption key of a key pair and the collection of associated signatures made upon that key as well as any encryption subkeys self-signed with that public key. To avoid confusion in this document, I will use the term "public key" when refering to the key, signatures, and subkeys. I will use the term "public key packet" when refering to the public encryption key of a key pair. You can digitally sign your own public key packet and any associated id in that public key, or another entity's public key packet and associated user ids. Self signatures prevent adversaries from appending fake encryption or signature keys on your public key material while it is stored publicly or while it is being transmitted. If an adversary were able to add a fake encryption or signature key, they could add a public key packet to which only they posses the private key. This could result in an individual who wishes to communicate with you in secret inadvertently transmitting their communication to the person that serendipitously modified your public key in transit. By default, GnuPG and most other implementation of the openPGP standard automatically perform self signature on all User ID packets generated for a public key. In a sense, key signatures validate public keys. They are an endorsement of validity of a public key packet and associated id by a third party. This is the way in which key signing builds the web of trust.

What is the Web of Trust? "Web of trust" is a term used to describe the trust relationships between a group of keys. A key signature is a link, or strand if you will, in the web of trust. These links are called "Trust Paths". Trust paths can be bi-directional or only one way. The ideal web of trust is one in which everyone is connected bi-directionally to everyone else. In effect, everyone trusts that every key does in fact belong to its owner. The web of trust can be thought of as the sum of all the trust paths, or links, between all key holding parties. As a visual example, here is a graph of a web of trust that I belong to. Figure 2.1. An Example Web Of Trust Graph



Why should I hold a Keysigning Party? There are three primary reasons to hold as many key signing parties as you possibly can. First, and perhaps most importantly, you should hold as many key signing parties as possible in order to expand the web of trust. The deeper and more tightly inter-linked the web of trust is, the more difficult it is to defeat. This is of special significance to the Free Software Community, for both developers and users alike. Members of the community rely upon PGP technology to cryptographically protect the integrity of their software packages, security advisories, and announcements. The strength and robustness of the web of trust is directly proportional to the strength of the protection PGP provides the community from security threats such as trojan horses, malware, viruses, and forged messages. Second, key signing parties help others get integrated into the security culture and encourage them to gain an understanding of PGP and related strong cryptography technologies. In order to get the benefits of strong cryptography, people must use strong cryptography, and use it properly. This requires a basic understanding of the underlying technology. It can be difficult for people new to computers and new to the free software culture to gain such an understanding. Introducing people who lack knowledge and skills in cryptography to individuals that have developed them can be very helpful to those trying to learn. It provides a great deal of value and benefits everyone. Finally, key signing parties help build communities. They help techies get together to get to know each other, network, and discuss important issues like civil liberties, cryptorights, and internet regulation. Discussion is important because discussion is not only the first step, but also the step before action. When I first wrote this document there were not very many complex webs of trust in the world. Things have dramatically improved, with more plentiful webs that are much deeper than they were a few years ago. However, it still remains the case that if you work to build a web of trust in your local area, it is very likely that the first participants in that web will be the leaders and policy setters of the internet community in your area. They are the individuals who can choose to build secure strong cryptographic technology and protocols into the local infrastructure if they so choose. The integration of such technology and protocols could make issues like the FBI's carnivore system and the National Security Agency's illegal domestic surveillance technologically infeasible and therefore moot.

Can you give me some examples of why I'd want to hold one? As an example, let's say that Alice and Bob generate PGP Keys with Gnu Privacy Guard (GPG) and hold a PGP key signing party. At the party Alice and Bob go verify each others' key information and later sign each others' keys. GPG by default automatically signs the public key of every pair it generates with the associated private key. So, Alice and Bob both now have at least two signatures validating that their keys belong to them. Alice's key was signed by Alice herself and by Bob. Bob's key was signed by Bob himself and Alice. In the future Alice and Bob meet Cathy. Cathy generates a key pair and tells Alice and Bob that she will send them both her key. Alice doesn't like Cathy and doesn't want Bob to exchange encrypted communications with her. Both Alice and Cathy generate PGP keys which they claim belong to Cathy. They both send them to Bob. Both keys have one signature, the self signature of the associated private key. Bob does not know which key is really Cathy's. Cathy hears that Bob got two keys, and suspects Alice. Cathy, now angry, wishes to gain information that she can use against Alice. In order to acquire this information Cathy must compromise the encrypted communications between Alice and Bob. In order to do this, Cathy decides to forge an email to Bob from Alice telling him that Alice has generated a new key pair - a key pair for which only Cathy has the private key. In the forged email, Cathy includes Alice's "new" public key (which is in fact a fake key generated by Cathy). However, Bob knows for sure this is a trick because even though Bob now has two keys for Alice, one of the keys has been signed by multiple people (himself and Alice) verifying that it does indeed belong to Alice, while the other key - Cathy's fake key - only has its own signature. The above example is very simplified and things can get a lot more complicated than that. You can read through the PGP FAQs or a good book on PKI for more information and a more detailed explanation. The above example does clearly explain the basics of key signing and its value. Cathy was not able to introduce a fake key pair for Alice because of the web of trust interconnections (key signatures) between Bob and Alice. It is important to note however that signatures and webs of trust do not guarantee trustable keys. For example, when Bob and Alice first met Cathy, let's say that a friend of Cathy's, Donald, had been with Cathy. Donald could have generated fake key pairs for Alice and Bob, signed them with his key and signed both pairs of keys with the other pairs resulting in three signatures on each key and sent them to Cathy. Cathy would be facing a series of bad keys and signatures. How could key signing help Cathy resist such an attack? Well, let's say that all the people involved where exchanging keys through a key server. If Cathy searched the key server for Alice and Bob's keys, she'd find two sets for both Alice and Bob. If Alice and Bob had collected twenty key signatures at the keysigning party, it's obvious that Cathy could possibly better trust the public keys signed by twenty different individuals than the ones signed by only three individuals. Cathy should know something's up from the existence of the extra public keys - so she can look for closely at the generation dates and the trust web behind the public keys. The twenty keys from the party signatures should all be signed by twenty or more different individuals and have those signing keys would most likely have widely varying generation times. It's probable that the keys that signed the keysigning party's participant's keys were also signed by other keys of people who did not attend the party. Perhaps, people who don't even live in the same area. That would not be the case for the faked keys if Donald had generated twenty faked key pairs and generated a faked web of trust. The scope of Donald's fake web of trust would be limited in size and depth to the number of keys Donald generated or had gain control of. The multilayered web of trust supporting the real keys would provide a strong suggestion that Alice and Bob's genuine keys were more trustable than Donald's fake keys.

Choosing a Keysigning Party Type There are different possible structures for keysigning parties. These different formats were designed to accommodate the increasing levels of participation as PGP has become more popular. The sections below describe three of the most common methods and provide instructions for each one. By reading the Theory subsections below, you'll be able to determine and select the right party method for you.

Informal Method Party Theory The most common type of keysigning party is the informal party. For an informal party, no coordination is necessary other than announcing a time and date. Individuals bring their key information and what they feel to be sufficient proof of their identity. Organizing Informal parties are easy to coordinate and are simplistic in their nature. They can be easily announced at the last minute and therefor can easily be associated with another event which may attract members of the cryptography community such as technical conferences or civil liberty events. Examples, are technical conferences, LAN parties, science fiction conventions, and technical standards working group meetings. Participating Ideally, you should bring small pieces of paper with your name and pgp key fingerprint on them to hand out to people. Many people now have their PGP key fingerprint printed on the back of their business card along with the address of a preferred keyserver where people can download an up to date key. They also often include a small "verified" checkbox that someone can mark if they choose to check identification.

List Based Method Party Theory For a list based party, more coordination is necessary. A list PGP key fingerprints of everyone who had planned to attend the party is created by the party coordinator. When enough people are expected to attend the event that it would be difficult for everyone to make sure that get a chance to meet everyone else in attendance, a list can be helpful. The obvious benefit being that, if the participants are given a list they will most likely attempt to complete their list. This will result in a deeper, more interlinked, web of trust which can benefit all users of PGP. Organizing I've written a public domain perl script to generate the keysigning party list from an openPGP public keyring for you to use. You can post this list on the web so that recipients can print it out, or you can bring copies to the party for everyone. Participating You should check identification and verify fingerprint information for each person at the party on against your list. You should also verify your fingerprint information of their list to make sure a dishonest roganizer did not give some people different lists than what you were given.