Is anyone else interested in GPG/PGP keysigning while at Congress? I’ll have my fingerprint with me, and will happily sign keys if you have fingerprint+ID.
Why?
Establishing a web of trust. A public key is really just some data, and you can claim that a given key belongs to anyone. If, for example, I sign your key, then anyone who trusts me would be able to see “Ah, yes, William says this is the right key so I’ll believe William and use this key”.
What if I don’t trust you?
Luckily, this is not really relevant. Me signing your key is me saying “Yes, this is Bob’s key”. It does not in any way give me access to your key. Indeed, all you need to do is show me your public key and some ID so that I know it is you. Likewise, I can show you my public key and you “sign” it to say that you agree that my key belongs to me.
How?
I use GPG+mutt, so I won’t be able to give step-by-step advice on how to use gpg/pgp with other email clients. However, there are many tutorials on the internet so searching should help. In addition, if you have particular questions I’ll do my best to answer them.
No, really, how do I sign keys?
There are three steps. Bring your fingerprint, exchange fingerprints, and actual signing.
Fingerprint
First, you need to show people the fingerprint of your key. I’ll use the command line gpg program and my key as an example. My key id is 0x658AA6C401163E65 so I run
$ gpg --fingerprint --keyid-format 0xlong 0x658AA6C401163E65
pub 4096R/0x658AA6C401163E65 2012-09-12 [expires: 2016-09-11]
Key fingerprint = 3899 138A 83DF 32B7 F519 DC70 658A A6C4 0116 3E65
uid William Pettersson <william@ewpettersson.se>
uid William Pettersson <enigma@strudel-hound.com>
uid William Pettersson <william.pettersson@gmail.com>
sub 4096R/0xCCAEA94065885B3A 2012-09-12 [expires: 2016-09-11]
From this you see the fingerprint. Print (or write out) many copies of these to bring. Make sure each copy at least lists your name and the key ID (the 0x658AA6C401163E65 in my case). I tend to just print out the whole output.
Exchanging fingerprints
On the day, you’ll need to give people your fingerprint. However, people shouldn’t just accept fingerprints blindly. They should either know you, or check your ID to make sure you aren’t an imposter. You should also accept fingerprints from others. Don’t be afraid to ask for ID if you don’t recognise someone.
Signing keys
Lastly, you’ll need to sign the keys. This is often done later, as not everyone carries their secret key around. You will also need a keyserver setup. I use pgp.mit.edu but any should work.
First, download the key(s)
gpg --recv-keys 0x658AA6C401163E65
Then, sign the key
gpg --sign-key 0x658AA6C401163E65
Lastly, upload the signed key to a keyserver. Note that you can do this with multiple people in parallel, signatures shouldn’t get clobbered.
gpg --send-key 0x658AA6C401163E65
Obviously if you’re using a different program the details will be different, but the main steps are still the same. Bring your fingerprint, verify identities and exchange fingerprints, then sign+upload the signed keys.
(Should I put this on a wiki?)
Edit 1: Converted to use long (64bit) key IDs as per BenM’s comment.