signing-party is a package combining a set of tools used in managing OpenPGP / GnuPG cryptographic keys. The most important tools in this package are used in preparing for or processing the results of gatherings to exchange key signatures, hence the name “signing-party”. If you are coming to FOSDEM next week-end, you should definitely have a look at it!
The two tools most interesting for the average user are gpg-key2ps and caff.
gpg-key2ps is used before attending a signing party. The script takes your public key and creates PostScript (PS) output that has your key fingerprint and userid’s nicely formatted on paper slips. The only thing left for you to do is to cut the paper.
When you arrive home after the signing event, you need a way to process all these paper slips. That’s where caff comes in. Give it a list of key-ID’s, and it will cycle through them, present you with the key’s fingerprint and asks you to confirm that it matches the paper you got.
The most important part about the signing process is that you verified the key owner’s real identity. However, caff adds additional security to that: it encrypts your signature on their key with their own key, and then mails it to them. It mails the signature for a specific user ID to the emailaddress on that user ID. This brings additional security: before the recipient can add your signature to their key, they must decrypt it with their private key, proving that they indeed have access to the key they claimed to be theirs. By mailing to the email addresses on the key user ID’s, it is also verified that the key owner can indeed read that address. All this you get for free - caff stands for “CA fire and forget”: you confirm that fingerprints match, and caff handles the rest.
- Anyone signing OpenPGP keys.
- Keysigning explained targetted specifically at Debian
- How not to look lost at a key-signing by Steve Kowalik
- Wikipedia on PGP
- The GNU privacy handbook, a complete manual to GnuPG.
The signing-party package is available in both Debian and Ubuntu. The caff tool is only available in Debian Etch and up, or in the package from backports.org.