Keysigning

Since a lot of developers meet at trade shows or conferences they have become a nice way to get other people sign ones OpenPGP key and improve the web of trust. Especially for people who are new to the project, keysigning and meeting other developers has been very interesting.

This document intends to help you with running a keysigning session. Note that all examples use keyring.debian.org as the keyserver. If the key in question is not in the Debian keyring, replace keyring.debian.org with a public keyserver like keys.openpgp.org (which is a validating key server).

People should only sign a key under at least two conditions:

  1. The key owner convinces the signer that the identity in the UID is indeed their own identity by whatever evidence the signer is willing to accept as convincing. Usually this means the key owner must present a government issued ID with a picture and information that match up with the key owner. (Some signers know that government issued ID's are easily forged and that the trustability of the issuing authorities is often suspect and so they may require additional and/or alternative evidence of identity).
  2. The key owner verifies that the fingerprint and the length of the key about to be signed is indeed their own.

Most importantly, if the key owner is not actively participating in the exchange, you won't be able to complete either requisite 1 or 2. Nobody can complete the key owner's part of requisite 1 on the key owner's behalf, because otherwise anyone with a stolen ID card could easily get an OpenPGP key to go with it by pretending to be an agent of the keyowner. Nobody can complete the key owner's part of requisite 2 on the key owner's behalf, since the agent could substitute the fingerprint for a different OpenPGP key with the key owner's name on it and get someone to sign the wrong key.

The signing-party Debian package provides some tools to help you with this process. gpg-key2ps turns an OpenPGP key into a PostScript file to print paper slips with your fingerprint, and gpg-mailkeys will email a signed key to its author. The package also includes caff which is a more advanced tool. See the package documentation for more information.

What you should not do

You should never sign a key for somebody else you haven't met personally. Signing a key based on anything other than first-hand knowledge destroys the utility of the Web of Trust. If ones friend presents other developers with your ID card and your fingerprint, but you are not there to verify that the fingerprint belongs to you, what do other developers have to link the fingerprint to the ID? They have only the friend's word, and the other signatures on your key -- this is no better than if they signed your key just because other people have signed it!

It is nice to get more signatures on ones key, and it is tempting to cut a few corners along the way. But having trustworthy signatures is more important than having many signatures, so it's very important that we keep the keysigning process as pure as we can. Signing someone else's key is an endorsement that you have first-hand evidence of the keyholder's identity. If you sign it when you don't really mean it, the Web of Trust can no longer be trusted.

More information