NANOG Web
Back to: NANOG Home

PGP Key Signing

Joe Abley will organise a series of PGP key signing parties at the NANOG 35 meeting in Los Angeles. In LA, as in Seattle, we are going to hold many, smaller key signing parties spread throughout the meeting, rather than a single big party late on Monday night. Each of the key signing parties will run along the same lines that they always have -- they'll just be smaller, and consequently (we hope!) less tedious.

There will be people who attend all of the key-signing parties. As long as you exchange signatures with these people, you should be able to take advantage of the meeting-wide web-of-trust even if you only attend one party.

Be sure to check for break times once the meeting agenda is posted, so you can attend at least one party.

• NANOG 35 agenda (check for break times)
• Trust Reflection: A Distributed Approach to PGP Key Signing at Multi-Day Events
• GnuPG (free PGP software for Windows, Mac, UNIX, etc)
• PGP Corporation (commercial PGP software for Windows, Mac, UNIX, etc)

Stickers for Your Name Badge

When you stop by the registration desk, there will be coloured stickers available for your name tag that indicate if you have an interest in signing PGP keys. If people keep trying to peer with you, you've picked up the wrong colour sticker.

You do not have to attend a key signing party in order to sign keys! If you happen to be sitting next to someone with a PGP sticker on their badge, exchange keys and verify fingerprints with them. The more signatures you exchange with people, the more useful PGP will be to you.

The Day Before

You should get the following three steps done at least the day before you attend one of the key-signing parties. If you plan to attend multiple parties, you only have to follow these steps once.

1. Generate a PGP Public/Private Key Pair. If you don't already have a public/private PGP key pair, you need to generate one. GnuPG users can type "gpg --gen-key".
2. Extract your PGP Public Key. Again, refer to your PGP software's documentation for details; you are looking for a public key extracted in "ASCII-armoured" format. GnuPG users can type "gpg -a --export your-key-id".
3. Add your Public Key to the NANOG 35 Key Ring. Do this by pasting the ASCII representation of the public key into this convenient form. You can also view all the other keys that have already been uploaded there.

Attending a Key-Signing Party

You should bring:

1. Sufficient photo-id to convince others that you are who you claim to be (e.g. drivers licence, passport).
2. A copy of your PGP public key fingerprint that you generated yourself, from a known-trusted copy of your key. GnuPG users can type "gpg --fingerprint your-key-id".
3. A pen.

You can attend more than one party if you like. When you arrive:

1. Pick up a copy of that day's NANOG 34 keyring printout from the pile. Locate your own key on the list.
2. In turn, each of those attending the party introduce themselves by name, and indicate which key (or keys) on the list is theirs. They then read out their key fingerprint from their own trusted copy, and everybody verifies that this agrees with the fingerprint listed on the sheet.
3. Once everybody has had a chance to read out their key fingerprints, people can proceed to introduce themselves to people they don't already know, and allow their identities to be verified (e.g. against photo id).

The plan is to keep each Key Signing Party nice and small, so that they can be completed quickly. If you arrive and there are already many people there to sign keys, you might consider leaving again and attending a later key signing party instead.

The Day After

At some point after the key signing party that you attend, you should sign the keys whose authenticity you were able to check. This strengthens the web of trust, and makes PGP more useful for you as a general-purpose tool.

1. Retrieve the NANOG 35 keyring and import it into your own keyring. GnuPG users can type "gpg --import filename".
2. Check the fingerprint on each of the keys that you checked against the list that you took home from the key signing party. GPG users can type "gpg --fingerprint key-id".
3. If the fingerprints match, sign the key.
4. E-mail a copy of the signed key back to the key's owner, or send the key with its new signature to a key server (or both, or whatever you normally like to do).