Home

The importance of GnuPG signing

Wed, 2006-04-12 21:01 — jblack

Many of the people that I have worked with take GnuPG seriously. Most understand why signatures are important. Many also understand how to sign well. Some people, though, stop signing after they've gotten 'enough' cross signatures. This entry explains why you can never have enough good signatures and how to do so.

Verification of identity through Gnupg is a rather simple concept. Each person has one or more gnupg keys. Users can generally sign two types of things with these keys: documents and other keys. Signing another key means that you have verified that the person that holds a key is the same as the name and email addresses associated with the key. This signature, once made, can be used by yourself and holders of other keys to verify that the identity is authentic.

This process has evolved over time into something known as the Web Of Trust (WOT). The web of trust is like a net built out of the endorsements (signatures) of one key owner by another. The strength of the WOT is tied to the number of good signatures in just the same way that the strength of the net is tied to the number of strands within the net.

The WOT is useful for a variety of things. One use to verify that software packaged by a team is authentic. Another common purpose is to provide reliable authenticity when performing remote admin requests. The WOT is also likely to eventually be useful to verify signatures on legal contracts.

The key part of the WOT is that the more keys that are out there that you trust and have signed, the more likely you are going to be able to trust any arbitrary key that you find on the internet. You can probably feel comfortable if a half dozen people that you kind of trust have signed a key that you have never seen before because they have certified it for you. Other people will also rely to a certain extent upon your signatures of the keys that they don't know about either.

Participating in the WOT can also be fun in the same sorts of ways that collecting is fun. You can always see how deeply entrenched you are in the WOT by visiting The PGP pathfinder

The only method for entering the WOT is to cross sign with someone that is already in the WOT. You perform this action by performing the following steps:

  • Meet the person in real life.
  • Verify their identity by personally verifying their IDs. Passports work reasonably well. A drivers license that you are familiar works even better.
  • Get their key ID and the fingerprint for your key while at the same meeting. Getting this information later is useless.
  • Sign their key when you get home with a tool like caff. Caff is explained below.
  • The other person will do the same for you.

One of the easier way to sign keys is with a program like Caff. Caff can be installed on most distributions by running "apt-get install caff". You'll want to add one line to your .gnupg/gpg.conf file:
default-cert-level 0. This will provide a standard signature for keys that you sign. You can also mark keys signature as having been carefully checked by using 3 instead of 0.

You can use caff once its been setup by running caff KEY-ID. caff will download the key off of a keyserver and show the fingerprint to you. Check carefully that the key fingerprint is the one that you wrote down when you met the other person. Once you have verified the fingerprint is right you can answer yes to all the questions. Caff will then email your signature of each of UIDs to each listed email address.

Once they receive the email they will pipe each email through gpg | gpg --import. For example, if you run mutt to do email, you would run |gpg | gpg --import. This will import your signatures of their key into the keyring. The signatures, once imported, can be uploaded to the keyserver by running "gpg --send-key THEIRKEYID".

Their key with your signature is now on the keyservers. You can download the key with gpg --recv-key THEIRKEYID.

Its a bit of work to do this signature stuff right. In addition to the steps outlined above the other guy has to do the same stuff for your key. Its worth it though, as over time you can build up certainty that an identity is authentic when it really matters.

There are several excellent ways to build up the strength of both your key and the keys of others:

  • Visit the usergroups within driving distance and find out when the next keysigning party is. Ask when the next planned one is if they don't have one coming up.
  • Exchange signatures with distant friends whenever you travel. These types of signatures are particularly valuable as the WOT is geographically weak for some areas.
  • Visit sites like http://biglumber.com before you travel and see if there are people on the way that you can cross sign with.
  • Host a keysigning party in your area. You can find a variety of examples of how to do so by searching google for "keysigning howto"

Everyone, including yourself benefits when you participate in keysigning. Perhaps you and I will meet up and exchange keys some day. :)