SVN Summit PGP Key Signing

How it works

Things that get verified:

  1. you have the correct key information for each person
  2. each person is who they say they are (photo ID check)

  3. email addresses??? discuss

Checking that you have the correct key information

We have printed out a list of everyone's key information. Everyone will check their key on the list against the information that they brought to the summit on paper. Furthermore, it must be certain that all the copies of the list are the same, so everyone in turn reads aloud their own info, everyone else checks it.

Checking that each person is who they say they are

We all line up in the order of the printed list, and get out our photo IDs. The person at the front of the line walks down the line, having his ID checked by each person. He then joins the end of the line. People continue to walk down - you don't have to wait for one person to finish before the next starts, but don't bunch up. Once everyone has walked down, everyone should have presented their ID to everyone else.

Email Addresses

The remaining point of uncertainty is how to deal with email address verification. Remember that the thing you actually sign is a PGP user-ID, which typically includes an email address. Many signing party guides conveniently ignore this issue. One possibility is to use a script (there is one, called caff in the Debian signing-party package) which splits the signatures up and emails each individual signature to the email address it refers to. That means that if the owner of the key doesn't own the email address, they won't get the signature. But, it requires that everyone wrangle with a perl script. Is that OK?

SVNSummitPGP (last edited 2008-06-21 17:33:38 by localhost)