Difference between revisions of "Formal Keysigning"

From SOBAC Wiki
Jump to navigation Jump to search
(→‎ToDo for the Participants: Oops. Removed duplicate headings)
(Added introductory paragraph)
 
(22 intermediate revisions by 2 users not shown)
Line 1: Line 1:
* I'm running a formal keysigning after [[Encrypting E-mail with GnuPG, Thunderbird and Enigmail|my presentation]] at KWLUG on Monday, 2 December 2013.  These are the steps for both the keymaster ([[User:BobJonkman|me]]) and the people attending.  Feel free to make changes or additions as you see necessary. You may find some useful information in the [[Guidelines for Key Signing Parties]].
+
Signing other people's GnuPG/PGP keys and having them sign yours is a way of expanding the Web Of Trust, which makes GnuPG/PGP more useful. People you may not have met trust the signatures on your key, and so trust your key.  In turn, you can trust keys that have signatures of people you trust. The Web Of Trust is how we accomplish the fourth factor of authentication: '''Someone who knows you'''.
: [[User:BobJonkman|BobJonkman]] 05:42, 9 October 2013 (UTC)
 
 
 
* There is now a [http://sobac.com/owncloud/public.php?service=files&t=ba4835619abd5f390a3b655b3e9b7273&download&path=//kwlug-keysigning-ring-2013-12-02.asc KWLUG Keysigning Ring] in the [http://sobac.com/owncloud/public.php?service=files&t=ba4835619abd5f390a3b655b3e9b7273 KWCrypto ownCloud] which will contain the public keys of all the participants.
 
 
 
: If you'd like to participate in the keysigning you can either:
 
# send me [mailto:bjonkman@sobac.com?subject=Public%20Key%20for%20Keysigning%20%5Bbjns%5d encrypted, signed e-mail] with your public key attached
 
# Download [http://sobac.com/owncloud/public.php?service=files&t=ba4835619abd5f390a3b655b3e9b7273&download&path=//kwlug-keysigning-ring-2013-12-02.asc the keyring], add your public key, then upload it to  the [http://sobac.com/owncloud/public.php?service=files&t=ba4835619abd5f390a3b655b3e9b7273 KWCrypto ownCloud].
 
: [[User:BobJonkman|BobJonkman]] 01:12, 26 October 2013 (UTC)
 
-----
 
 
 
{|style="background:#efe; color:black; padding: 1em; border: thick solid green; font-size:large; text-align:center;"
 
|This is a work in progress -- You can help create a definitive procedure for a '''Formal Keysigning''': [[Special:UserLogin |Login]] and [http://sobac.com/wiki/index.php?title=Formal_Keysigning&action=edit edit this page].
 
|}
 
  
 
= Purpose =  
 
= Purpose =  
 
A keysigning is not meant to establish your absolute, one true, [https://support.google.com/plus/answer/1228271?hl=en Real] [https://www.facebook.com/help/112146705538576 Name]™ identity, it is merely to associate a keyID with your identity. The identity you use is up to you, as published in the UserID portion of your GnuPG/PGP key. It could be only an e-mail address, a nickname, or even your real name. It's how people identify you in correspondence, or associate you as the author of a document or software. By signing your key, people verify that the KeyID is associated with the identity by which they know you.
 
A keysigning is not meant to establish your absolute, one true, [https://support.google.com/plus/answer/1228271?hl=en Real] [https://www.facebook.com/help/112146705538576 Name]™ identity, it is merely to associate a keyID with your identity. The identity you use is up to you, as published in the UserID portion of your GnuPG/PGP key. It could be only an e-mail address, a nickname, or even your real name. It's how people identify you in correspondence, or associate you as the author of a document or software. By signing your key, people verify that the KeyID is associated with the identity by which they know you.
 +
 +
A formal keysigning is a way to expand the Web Of Trust to include people whose keys you might not otherwise sign (because you don’t know them very well, or they only have ID issued by an authority you don’t like). With all these introductions and vouchings the chance of someone misrepresenting their identity is vanishingly small, so you can trust that the key fingerprint they read is really associated with that person.
  
 
= Concepts =
 
= Concepts =
Line 28: Line 17:
 
= Preparations before the Keysigning Party =
 
= Preparations before the Keysigning Party =
 
== ToDo for the KeyMaster ==
 
== ToDo for the KeyMaster ==
# Create a keysigning keyring, make it publicly available. This keyring will contain the public keys of the keysiging participants.
+
# Generate '''Keysigning Key'''
# Collect the public keys that people send to you in encrypted, signed e-mail.
+
#:<pre>gpg --gen-key</pre>
# Immediately before the keysigning create a printout of all the KeyIDs, UserIDs and fingerprints in the keyring. Make sufficient copies for all participants. (you could send that printout to all participants in an encrypted, signed e-mail, or participants can download the keyring and print their own).  
+
#* This can be a '''Sign Only''' key
#* Create the printout with:<BR><pre>gpg --no-default-keyring --keyring=./kwlug-keysigning-ring-2013-12-02.asc --fingerprints</pre> <span style="background:yellow;">Note to editor: Verify this syntax! --Bob.</span>
+
#* Use the '''Real Name''' field to identify this Keysigning event, eg. "KWLUG Keysigning 2013-12-02"
 +
#* Doesn't need an e-mail address
 +
#* Use the '''Comment''' field for a URL to the keysigning Web site
 +
# Export the '''Keysigning Public Key'''
 +
#:<pre>gpg --armour --export 0xKEYID > keysigning-public-key.asc</pre>
 +
#* Also upload the '''Keysigning Public Key''' to the keyservers
 +
# Create a '''Keysigning Keyring''', add the '''Keysigning Public Key'''
 +
#:<pre>gpg --no-default-keyring --keyring ./keysigning-keyring --import keysigning-public-key.asc </pre>
 +
# Make the '''Keysigning Keyring''' publicly available. This keyring will also contain the public keys of the keysiging participants.
 +
# Collect the public keys that people send to you in encrypted, signed e-mail, add them to the '''Keysigning Keyring'''
 +
#:<pre>gpg --no-default-keyring --keyring ./keysigning-keyring --import alicepublickey.asc bobpublickey.asc carolpublickey.asc</pre>
 +
#* Remember to update the published '''Keysigning Keyring'''!
 +
# Immediately before the keysigning create a '''Fingerprint List''' of all the KeyIDs, UserIDs and fingerprints in the keyring. Make sufficient copies for all participants.  
 +
#:<pre>gpg --no-default-keyring --keyring=./keysigning-keyring --fingerprint > fingerprintlist.txt</pre>  
 +
#* The KeyMaster can send '''fingerprintlist.txt''' to all participants in an encrypted, signed e-mail, or participants can download the keyring and print their own
 +
#* The '''Keysigning Key''' should be the first key on the list.  Document editing might be necessary.
  
 
== ToDo for the Participants ==
 
== ToDo for the Participants ==
# Add your key to the keysigning keyring
+
# Add your key to the '''Keysigning Keyring'''
## Get a copy of the keysigning keyring (Either download it, or request that the KeyMaster e-mails it to you)
+
## Export your Public Key
## Add your public key to the keysigning keyring<BR>  <pre> '''command line for adding your public key to the keyring goes here'''</pre>
+
##:<pre> gpg --export 0xYOURKEYID &gt; MyPublicKey.gpg</pre>
## Submit the updated keysiging keyring (Either upload it, or e-mail it to the KeyMaster)
+
## Get a copy of the '''Keysigning Keyring'''
# OR E-mail your public key to the keymaster, let him do the work.
+
##*Either download it, or request that the KeyMaster e-mails it to you
 +
## Add your public key to the '''Keysigning Keyring'''
 +
##:<pre>gpg --no-default-keyring --keyring ./keysigning-keyring --import MyPublicKey.gpg</pre>
 +
## Submit the updated keysiging keyring (Either upload it, or e-mail it to the KeyMaster).
 +
# '''OR''' E-mail your public key to the KeyMaster, let him do the work.
  
 
= At the Keysigning Party =  
 
= At the Keysigning Party =  
# ...
+
# KeyMaster distributes the '''Fingerprint List'''
# ...
+
# KeyMaster asks each participant on the '''Fingerprint List''' to make a Formal declaration
# formal declarations and introductions like this:
+
#:<pre>Bob: "I'm Bob Jonkman, the User ID on my key is bjonkman@sobac.com and my GnuPG fingerprint is 04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA"</pre>
<pre>
+
# The KeyMaster asks for others to vouch for the participant:
Bob: "I'm Bob Jonkman, and my keyID is Delta Two Charlie Charlie Echo
+
#:<pre>Alice: "I've known Bob since the early days, and that's really him"</pre>
      Five Echo Alpha"
+
# Everyone marks on their copy of the '''Fingerprint''' if they're sufficiently convinced that the participant really owns the key with that fingerprint.
 +
# The KeyMaster repeats the process until all participants have made their declarations and been vouched for.
  
Andrew: "I've known Bob since the early days, and that's really him"
+
= After the Keysigning Party =
</pre>
+
== Participants ==
 +
# Download the Keysigning Keyring
 +
#* or download each individual key from the keyserver, or get it directly from the owner
 +
# Import the keys from the '''Keysigning Keyring''' into your keyring
 +
#:<pre>gpg --import keysigning-keyring</pre>
 +
# Verify that the key fingerprint matches for each participant you've checked off, '''only then''':
 +
# Sign the Public Key for each participant you've checked off.
 +
#* Also sign the '''Keysigning Public Key''' (optional, but creates a convenient record of participants)
 +
#:<pre>gpg --sign-key 0xParticipantID</pre>
 +
# Send each signed Public Key to its owner by e-mail, with copy to the KeyMaster.
 +
#* '''''DO NOT''''' upload other people's keys to the keyservers without their permission!
 +
#: <pre> gpg --armor --output 0xParticipantID.signed-by.0xYourID.asc --export 0xParticipantID</pre>
  
 +
== KeyMaster ==
 +
# The KeyMaster signs each participant's key with the '''Keysigning Secret Key''' to verify they've participated.
 +
# The KeyMaster updates the '''Keysigning Keyring''' with all the signed keys.
 +
# The KeyMaster expires the '''Keysigning Key''' to close the keysigning event.
 +
 +
-----
 +
== See Also: ==
 +
[[Informal Keysigning]]
  
 
[[Category:KWCrypto]][[Category:HowTo]]
 
[[Category:KWCrypto]][[Category:HowTo]]

Latest revision as of 15:40, 3 August 2015

Signing other people's GnuPG/PGP keys and having them sign yours is a way of expanding the Web Of Trust, which makes GnuPG/PGP more useful. People you may not have met trust the signatures on your key, and so trust your key. In turn, you can trust keys that have signatures of people you trust. The Web Of Trust is how we accomplish the fourth factor of authentication: Someone who knows you.

Purpose

A keysigning is not meant to establish your absolute, one true, Real Name™ identity, it is merely to associate a keyID with your identity. The identity you use is up to you, as published in the UserID portion of your GnuPG/PGP key. It could be only an e-mail address, a nickname, or even your real name. It's how people identify you in correspondence, or associate you as the author of a document or software. By signing your key, people verify that the KeyID is associated with the identity by which they know you.

A formal keysigning is a way to expand the Web Of Trust to include people whose keys you might not otherwise sign (because you don’t know them very well, or they only have ID issued by an authority you don’t like). With all these introductions and vouchings the chance of someone misrepresenting their identity is vanishingly small, so you can trust that the key fingerprint they read is really associated with that person.

Concepts

Four factors of authentication:

  1. Something you know (passphrase)
  2. Something you own (key fob, pass card)
  3. Something you are (fingerprint, retinal scan)
  4. Someone who knows you (trusted introducer)

A keysigning party increases the Web of Trust, or the number of trusted introducers who will vouch for the association of your identity with your KeyID.

Preparations before the Keysigning Party

ToDo for the KeyMaster

  1. Generate Keysigning Key
    gpg --gen-key
    • This can be a Sign Only key
    • Use the Real Name field to identify this Keysigning event, eg. "KWLUG Keysigning 2013-12-02"
    • Doesn't need an e-mail address
    • Use the Comment field for a URL to the keysigning Web site
  2. Export the Keysigning Public Key
    gpg --armour --export 0xKEYID > keysigning-public-key.asc
    • Also upload the Keysigning Public Key to the keyservers
  3. Create a Keysigning Keyring, add the Keysigning Public Key
    gpg --no-default-keyring --keyring ./keysigning-keyring --import keysigning-public-key.asc 
  4. Make the Keysigning Keyring publicly available. This keyring will also contain the public keys of the keysiging participants.
  5. Collect the public keys that people send to you in encrypted, signed e-mail, add them to the Keysigning Keyring
    gpg --no-default-keyring --keyring ./keysigning-keyring --import alicepublickey.asc bobpublickey.asc carolpublickey.asc
    • Remember to update the published Keysigning Keyring!
  6. Immediately before the keysigning create a Fingerprint List of all the KeyIDs, UserIDs and fingerprints in the keyring. Make sufficient copies for all participants.
    gpg --no-default-keyring --keyring=./keysigning-keyring --fingerprint > fingerprintlist.txt
    • The KeyMaster can send fingerprintlist.txt to all participants in an encrypted, signed e-mail, or participants can download the keyring and print their own
    • The Keysigning Key should be the first key on the list. Document editing might be necessary.

ToDo for the Participants

  1. Add your key to the Keysigning Keyring
    1. Export your Public Key
       gpg --export 0xYOURKEYID > MyPublicKey.gpg
    2. Get a copy of the Keysigning Keyring
      • Either download it, or request that the KeyMaster e-mails it to you
    3. Add your public key to the Keysigning Keyring
      gpg --no-default-keyring --keyring ./keysigning-keyring --import MyPublicKey.gpg
    4. Submit the updated keysiging keyring (Either upload it, or e-mail it to the KeyMaster).
  2. OR E-mail your public key to the KeyMaster, let him do the work.

At the Keysigning Party

  1. KeyMaster distributes the Fingerprint List
  2. KeyMaster asks each participant on the Fingerprint List to make a Formal declaration
    Bob: "I'm Bob Jonkman, the User ID on my key is bjonkman@sobac.com and my GnuPG fingerprint is 04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA"
  3. The KeyMaster asks for others to vouch for the participant:
    Alice: "I've known Bob since the early days, and that's really him"
  4. Everyone marks on their copy of the Fingerprint if they're sufficiently convinced that the participant really owns the key with that fingerprint.
  5. The KeyMaster repeats the process until all participants have made their declarations and been vouched for.

After the Keysigning Party

Participants

  1. Download the Keysigning Keyring
    • or download each individual key from the keyserver, or get it directly from the owner
  2. Import the keys from the Keysigning Keyring into your keyring
    gpg --import keysigning-keyring
  3. Verify that the key fingerprint matches for each participant you've checked off, only then:
  4. Sign the Public Key for each participant you've checked off.
    • Also sign the Keysigning Public Key (optional, but creates a convenient record of participants)
    gpg --sign-key 0xParticipantID
  5. Send each signed Public Key to its owner by e-mail, with copy to the KeyMaster.
    • DO NOT upload other people's keys to the keyservers without their permission!
     gpg --armor --output 0xParticipantID.signed-by.0xYourID.asc --export 0xParticipantID

KeyMaster

  1. The KeyMaster signs each participant's key with the Keysigning Secret Key to verify they've participated.
  2. The KeyMaster updates the Keysigning Keyring with all the signed keys.
  3. The KeyMaster expires the Keysigning Key to close the keysigning event.

See Also:

Informal Keysigning