keysigning parties

Thu Jul 14 06:15:47 CEST 2011

> I am having a really hard time finding any *current* info on
> key signing parties. I was wondering if someone could point me in the
> right direction. 

What sort of information do you need?

If it's, "how do I find one?", the best answer is, "throw one!"  Turn it into a social event: do something like host a doubleheader of _Sneakers_ and _The Conversation_, tell people to BYOB and bring printed slips with their certificate fingerprints.

If it's, "how do we share certificate fingerprints quickly?", the general protocol is this.  Before the party, everyone gets told a headcount for attendees.  Each participant is required to bring a number of printed copies of their fingerprint.  Each copy has the person's name, the identity documents they'll be presenting, and their preferred email address.  (I have my email address and fingerprint on my business cards: for me, I just write down "passport + DL" on the back and I'm done.)

At the party, divide the attendees into two equal groups.  Assemble them into two lines facing each other.  Each pair of people verify each other's identity documents and pockets the other person's fingerprint slip.  If for whatever reason you want to reject an identity document, you put a strikethrough on that part of the slip.

After a couple of minutes, each pair of people will be finished.  The line moves down one, and the person who just 'fell off the end' cycles back to the first position.  Repeat this until the entire line has been completed.

* Why paper slips? -- because the fingerprint is really all you need to circulate: with the fingerprint the recipient can find it on the keyservers.  Also, if you share media you open the door for propagating malware, and that's a Bad Thing.

* Why put the documents you're presenting on each slip? -- because if you're collecting papers and fingerprints from 25 other people, it's handy to have a way to remember, "ah, right, key 0xD6B98E10 -- I saw Rob's passport and his driver's license."  This sort of information is useful: it may enter into some people's security models.

* Why reject documents? -- because people are allowed to have their own security policies, and some people may say, "I don't know what a valid Connecticut driver's license looks like, so I'm going to reject this DL because I have no way of telling if it's real."