Key signing party for small teams

To make key signings as efficient as possible it’s important that all participants comes prepared. We avoid using Key Servers, since they are flakey, slow and might publish more information than you want. Before the event all users should have received a list of keys that will be signed, and imported them into their own keyring.

Most people don’t carry around their master key, or prefer to keep it air-gapped. These people will provide their signature later. During the signing party everyone will take a secure note of KeyID and fingerprints that they have checked.

To speed up the process and help for those with offline keys a list of KeyID and fingerprints can be prepared as a hardcopy, where the participants can take notes.

The benefit of GPG in the workplace

Most companies do a decent job with background checks and general vetting of people before hiring them. And physical security in buildings is often more than good enough, someone will notice if you go around pretending to be me at the office. On the Internet however that is a lot harder, so you need to have some kind of digital proof, something that cannot be copied or easily stolen.

And that’s GPG. Users store the private keys (or signing keys) on security tokens, like YubiKey, which cannot be copied without being destroyed, and when lost, is easily noticed. The token is protected by a PIN-number, and the private key stored on the devices is protected by a passphrase. So you need three things, a PIN, passphrase and token to impersonate someone.

A very typical scenario is that someone needs to reset or unlink MFA device from their account or something similar. It could be anyone requesting that you do that - unless they sign the request with their key, a key you know only they can (within reason) hold, that you or enough people you already trust approve off. And since we also can encrypt any data we need to send them, we don’t have to worry too much about how we’re sending it.

You also get the added benefit of a second vetting. Security works best in layers, it’s best to not assume anything. If the user loses their key or doesn’t have it you just have to do another Key Signing. At least if you want to do anything online for this user.

Lets do the Key Signing Dance

To check that the key holder is who they say they are, we meet up face-to-face, and do the key signing dance:

  1. The other participants import the key holders public key into their local keyring, using either of these alternatives:
    • gpg --import foobar.gpg
    • gpg --locate foo@foobar.com
    • gpg --recv-keys foo@foobar.com [--keyserver <pgp.mit.edu|pool.sks-keyservers.net>]
    • curl https://github.com/foobar.gpg | gpg --import
  2. The key holder confirms their KeyID and fingerprint by reading it out loud
  3. The other participants verify the key holders valid ID, like a drivers license or passport
  4. The other participants takes a note that they’ve verified this key

When all keys are verified the participants either sign and export the signature at the venue and hand them over to the key holder, or wait until they have access to their master key and do it then. Out of curtesy it’s common to not publish key signatures to public key servers, but rather export the signature and send it via email to the key holder. Then they can import the signatures and publish it key servers and web key directory at their own will.

  1. Sign the key holders public key, using the KeyID
    • gpg --sign-key KeyID
  2. Encrypt the key and send to key holder via email
    • gpg --export --armor KeyID > KeyID.key
    • gpg --encrypt --recipient KeyID KeyID.key (creates KeyID.key.gpg)

Why shouldn’t you publish signatures to Key Servers on other users behalf?

I was a little puzzled by this myself, as it seems strange that key servers allow a usage pattern that is not recommended. Apparently there are two primary reasons, most notably that you’ve likely only verified their name and identity, not the ownership of the e-mail account used as their UID. When you send the signature to the key holder via e-mail only the holder of that e-mail account would be able to publish the signature, proving that they own that account. And last but not least, there is a privacy concern. The Key Holder might not want the world to know that you two know each other. So we make it up to them to decide.

Cheat sheet

  1. Listing keys and fingerprint
    • gpg --list-keys [UID|KeyID]
    • gpg --list-keys --fingerprint [UID|KeyID]
  2. Exporting keys
    • gpg --export --armor <UID|KeyID>
    • gpg --export --armor SUBKEYID! [SUBKEYID! ..]
  3. Importing key signature
    • gpg --import --import-options merge-only foobar.gpg

Published: 08 August, 2019