Edit Rename Changes History Upload Download Back to Top

Signing OpenPGP Keys

Signing a key indicates explicitly that you believe a combination of a key and a uid (e.g. email address) to be authentic. The graph of all member keys connected by signatures is the OpenSkills Identity Matrix.

If you are a Debian user you can use the signing-party package to help, and in particular the gpg-key2ps and caff commands. Please do read the follwing notes as well.

Before signing the key of another person:

Here, we focus on the parts of keysigning applicable to OpenSkills. For a more general overview the PGP Keysigning party HOWTO gives a great (and amusing) description of what it means to sign keys, and the process involved.

Key authenticity

Key signing involves more than typing in commands. The commands merely record the result of an assessment: an assessment of the authenticity of a key and your confidence in the identity of another person.

To have someone else sign your key you must meet them in person, demonstrate that you are who you claim to be, and give them information so that they can identify your key (the key to be signed).

bash-2.05a$ gpg --fingerprint 0637B724
pub  1024D/0637B724 2003-04-09 Fred Bloggs 
     Key fingerprint = 3318 D8EC 1EAD 3771 3B54  2893 175B 8FE1 BEBB 933F
sub  1024g/AD341A3B 2003-04-09

Use a word processor to make up a sheet with lots of copies of the fingerprint, and cut the sheet into slips - each with a single copy of the fingerprint. Give one of these slips to the person you are asking to sign your key,

The preceeding steps are critical to the quality, and therefore value, of the OpenSkills Identity Matrix. If a questionable identity is introduced to the matrix, the entire matrix is devalued. If in doubt, don't sign.

Signing a key

REMEMBER: Only sign keys after you have positively checked the identity of the other party and the key to be signed!

Always sign keys on a trusted computer. Do not install your private key on someone elses machine in order to sign keys. If you are at a key signing party where many people are exchanging key information, wait till you get home before working carefully through the following.

After making absolutely sure that the person asking you to sign a key is who they claim to be, and obtaining from them the identity of the key, signing is fairly straight-forward. When signing a key, it is possible to say how much confidence you have in the authenticity of the key you sign.

First, add the key to your key ring. Merely adding a key to your key ring says nothing about the authenticity of a key.

For the purposes of OpenSkills, we require that the key associated with membership be in a public key repository. Check that the key is on the key server through the web interface. If the key is not there, get the person asking you to sign the key to put it on the key server. You can get a known key from a key server using the ID of the key (0637B724 in the case if the Fred Bloggs key) with the command:

gpg --keyservery subkeys.pgp.net --recv-keys 0637B724.

or if Fred's email address is fred@bloggs.com:

gpg --keyservery subkeys.pgp.net --search fred@bloggs.com.

Now the key is on your key ring, so you can check the fingerprint against the information given to you by the person asking you to sign the key. Use the --fingerprint gpg command to look at the fingerprint, as in the example above.

Once you are quite sure that you have the correct key:

Once --sign-key has finished, you have signed the key. The last thing to do is to update the key on the key server with your signature. At this point you have:

Trust

Going beyond signing keys, it is possible to record how much you trust the individual you beleive owns a key.

Tools

Signing keys can be a laborious. There are tools and scripts that can help:
Edit Rename Changes History Upload Download Back to Top