D&C LUG Keysigning FAQ
What is key signing?
In a sense, key signatures validate public keys. They are an endorsement of
validitity of a public key and associated UID by a third party (you). This is the way in which key
signing builds the web of trust. Key signing is done
to verify that a given user id and public key really do belong to the person who appears to
own the key and who is represented by the user id packet. You should be extremely careful and
always check a key's fingerprint with the owner before signing the key. You should never
sign a key based on any assumption.
What should I do before signing a key?
- Verify the email address in the UID by a series
of email messages and replies, that you have also verified the name in the UID using photo
ID and that you have checked the fingerprint of the key with a printed copy given to you
personally by the keyholder.
- Decide which User ID's you can personally verify as truly
belonging to the keyholder. Only sign other UID's if you have personally
verified that email address in the UID.
- Obtain a printed copy of the fingerprint of the key from the
keyholder, face to face. Keysigning is usually incorporated into all DCLUG meetings and
everyone with a GnuPG/PGP key should bring printed copies of their key fingerprints to
meetings.
- Verify the keyholder using photoID - passports or driving licences
are best for people you haven't met before. Everyone with a GnuPG/PGP key should bring
photoID to meetings.
- Reminder: just because you receive an encrypted email from another
member using the members area contacts page, it does not mean
that your key has been verified by that person, nor does it mean that you should now sign their key
(they may not even have a key of their own). No message from the website will ever be signed using GnuPG,
only encrypted. Personal messages would be either just signed or signed and encrypted.
The website can trust all keys, even without signatures, only because of the username/password authentication
that is already in use. All messages from the website will clearly state which page has been used to
send the message in the lines at the end of the encrypted message. Please don't sign keys based
on automated messages. If the sender does have a GnuPG key and you want to send an encrypted message back,
please use the contacts page from the members area.
What commands do I use to sign a key?
Use gpg to display the fingerprint of the key, as stored in your public keyring on your home
system. Carefully match the fingerprint with the printed copy you obtained, in person, from
the keyholder - all characters in the key fingerprint must match exactly. Replace
KEYID with the ID of the key you want to sign:
$ gpg --fingerprint KEYID
Now you can proceed to sign the key:
$ gpg --edit-key KEYID
Now select the UID that you are going to sign. Remember that you should only
select a UID containing an email address that you have already verified by
correspondence.
Commandi> uid 1
To sign other UIDs, toggle between the UIDs as appropriate.
Now sign the UID:
Command> sign
You will be prompted to tell GnuPG how carefully you have checked this key.
A level of 3 would indicate that you have verified the email address in the UID by a series
of email messages and replies, that you have also verified the name in the UID using photo ID
and that you have checked the fingerprint of the key with a printed copy given to you
personally by the keyholder. Make your selection and confirm that you want GnuPG to sign this
key, putting in your passphrase to complete the signature.
Command>
Now edit the level of trust to indicate how much you trust the keyholder to
validate other people's keys as carefully as you have verified theirs. This will tell GnuPG
how much you want to trust a key that they HAVE signed but you have NOT. It is a personal
decision.
Command> trust
(Enter the trust level.)
Command> save
IMPORTANT: Please now export the signed key to a public keyserver
as it has now been updated with your signature. Other people cannot make use of your careful
work in signing my key if you don't export it.
$ gpg --keyserver keyserver.kjsl.com --send-key KEYID
That's it!
Can I transfer signatures to a new key?
If a key that has not been
compromised needs to be revoked (or is due to
expire soon), it is possible to transfer signatures onto a new key by sending
encrypted details to each signatory, provided you still have the passphrase.
- Send an email warning / reminder about the imminent replacement
of the key (signed with the old key because that's the key that people will recognise)
to each signatory.
- Ask each signatory to send a SIGNED and encrypted reply to the OLD key
containing some quote / random text. It's important that the reply is signed
so that you can trust the quote / random text.
- Sign each key with your new key as the emails come in and make sure that
all the recipient keys are updated on keyservers.
- Send an encrypted reply to each signatory, including the appropriate quote
/ random text and the fingerprint of the new key and make sure that the reply
email is signed with your NEW key. Don't revoke signatures made using the old
key - they are still valid as long as the old key has not been compromised.
- Recipients can update their own keys from keyservers, verify that the new
key signature is on their own key and check the fingerprint of your new key.
Recipients can also revoke their signatures on your old key at this point.
Many recipients would then be willing to sign the new key as there has been
an encrypted transfer of data requiring both of the secret keys involved to
be available to you alone.
- Once you've sent out all the replies to signatories, you can revoke the old
key (or just let it expire). Don't delete it from your keyring or you'll lose
the ability to read encrypted emails sent to you before the new key was
generated.
More Information
Top
