Keysigning Party Methods
The 'Ad Hoc' Method
The 'Ad-Hoc' method (which is basically a fancy shmancy way of saying "the standard way keysignings have always been done!") is best suited to small groups since it can quickly become chaotic with large numbers of people and does not scale well. However, it requires little or no planning so is very easy with small groups.
Before The Event
1. All participants output the fingerprint of their key and print out a number of copies:
gpg --fingerprint KeyID (where KeyID is actually your unique key ID). You will need to give one copy to everyone who signs your key, so copy and paste it maybe 20 times, print it out and cut the pages into strips.
2. Collect to take to the event:
- The printouts of your key fingerprint.
- Photo ID: a drivers licence, a passport, etc. Ideally 2 forms of government issued photo ID should be used.
- A pen. Don't forget this or you'll be sorry!
- (optional) An envelope for collecting fingerprint slips.
At The Event
1. Each participant should meet up face to face with every other participant to receive their key fingerprint and examine their ID, and to give them your key fingerprint and have them examine your ID. The keysigning organiser will provide direction about exactly how this is to happen. With large groups it can become very chaotic as the number of possible relationships increases exponentially with the number of participants. To keep things orderly the organiser will probably have everyone stand in a long line and then have the line fold back on itself, allowing every person to pass by every other person in turn.
2. As you meet up with each person they will give you a printout of their key fingerprint and show you their ID. Examine their ID, and if you are convinced that the person standing in front of you is actually who they say they are then write 'ID OK' on their key fingerprint and initial it to prevent tampering. You then keep their key fingerprint in a safe place for later reference after the event has finished.
After The Event
1. Participants retrieve the public keys of all keysigning participants by fetching individual keys from public keyservers.
2. Participants work through their collection of signed fingerprint slips, checking the fingerprint of each key against the fingerprint on the slip and signing keys that match and are ticked for valid ID.
3. Participants either upload each public key they sign to a public keyserver, or email it directly to the key owner. Some key owners prefer not to have keys sent to public keyservers so in general it is courteous to email the key directly to the owner.
4. Signatures sent to each participant by other participants are imported into their local keyring.
- Find the key ID on the fingerprint. The fingerprint will have an 8-character ID listed after the key size. Typically it looks like this: '1024D/64011A8B'. The actual ID portion is the '64011A8B'. You'll notice this is also the last 8 characters of the fingerprint itself.
- Fetch the public key using the key ID. If you're running GnuPG on the command line, you can do this by typing 'gpg --recv-keys KeyID' (where KeyID is obviously the ID of the key you want).
- Check that the fingerprint of the key you've just fetched matches the fingerprint on the slip of paper: run 'gpg --fingerprint KeyID' and compare it with the hard copy in front of you.
- If (and only if) you are happy that the fingerprints match and the person showed you sufficient ID, you can do the actual 'signing' part of the process: type 'gpg --sign-key KeyID' and answer the questions it asks.
- Next you need to send the signed copy of their key back to them. There are two basic ways to do this: to email the key directly to them, or to upload it to a public keyserver. Many people prefer to receive their keys back by email so it's courteous to do this unless they've said they don't mind the key being uploaded to a public server. On a typical Linux system you can export the key and send it back to the user by typing: 'gpg --export -a KeyID | mail -s "Your signed key" firstname.lastname@example.org', where 'email@example.com' is their email address.