Signing Keys

Best practice

There are a few key steps that should be followed when signing anyone else's key:

  • Make sure that you definitely have the right key. You can do this in two ways:
    • If the key comes from any public source, such as the keyserver, then ask the person to read out the full fingerprint of the key and you verify that against the fingerprint of the key you have in front of you.
    • If the key comes through a trusted source, such as the person handing you the key personally on a USB stick or some other offline storage medium, then you can just ask them to read out the key ID for you to verify.
  • Make sure the person is who they say they are and the email addresses (user IDs) they claim to have are theirs. You can do this in two ways:
    • If you have known the person for many years and are certain they are who they say they are then all you need do is ask them if they still use the email addresses listed.
    • If you don't know the person then ask to see photo ID from a source that you believe will have done some reasonable checks on identity. How you verify the email addresses they claim to have are theirs is up to you, often people don't but some use automated tools or just send emails to each of the addresses and ask for a reply.

You can now sign the user IDs you believe they have with your key using exportable signatures and then send them a copy of their newly-signed key for them to merge into their copy of their own key.

Key signing parties

These are gatherings of geeks with OpenPGP keys who come together to sign each others keys. They generally work like this:

  • Everyone submits their key in advance to the organiser who prints off a list of the details from each key, including fingerprint and user IDs, giving each participant a copy.
  • Each participant in turn reads out their fingerprint and the User IDs they want signed, whilst all the other participants check those details against their copy of the print out.
  • All the participants line up and one at a time walks slowly down the line showing each other their photo ID. Everyone else is expected to check the photo ID not just wave them on.
  • Each participant now signs the keys of the others, checking the fingerprints against their printouts for each key that they sign and only signing the confirmed user IDs.

You might want to use an automated tool, such as detailed below.

Tools

The only key signing enabler that we know of is Biglumber, which automates the process and does email address verification. Using this can save a lot of time.