CS50 Key-Signing Party Event Guide

Please Register

If you already have a PGP key, please register your key for the event. While anybody is welcome to attend, it may not be possible to sign keys which are not submitted before the day of the event.

Order of Events

Note that you do not need a laptop with you at the event. All you need is your known-good key fingerprint and a writing implement.

1. Each attendee will print a known-good copy of his or her public-key fingerprint during registration, and will bring it to the event.

2. At the beginning of the event, the organizers will distribute a list of all registered keys and the fingerprint of each. The core purpose of the event is for each attendee to believe that each fingerprint on the printed list belongs to the person whose name and e-mail address are associated with the key.

3. In turn, readers at the front of the room will recite people's keys.
   • When it is your turn, stand up; as your key fingerprint is read, carefully compare it to the known-good copy you brought with you. At the end of reading acknowledge that your fingerprint was read correctly.
   • As each other fingerprint is read, listen to verify that the string of digits matches what is on your copy of the registration printout. If they match, somehow mark the entry (e.g., place a check mark next to it).

4. After all fingerprints have been read, there will be an opportunity for you to verify the identity of anybody you don't know personally. You will probably wish to briefly note how you verified each identity (driver's license, etc.).

5. When this process is complete, store the annotated copy of the fingerprint list in a secure location. Then be sure to schmooze with other attendees!

6. Later that evening, or perhaps when you get home, you can sign the keys corresponding to the fingerprints on the handout which you were able to verify. You should probably sign only those keys for which you are very confident that the person who stood up during the reading and acknowledged the fingerprint really is who he or she claimed to be.

   Soon after the event we will make the event public key ring available here. Download it, import it into your keyring, and sign some keys!

   If you are using GPG, the command to import the keys is
   % gpg --import cs50.pkr
   and the command to sign a key is
   % gpg --sign-key someuser@some.tld
   

   For PGP, use
   % pgp -ka cs50.pkr
   to import the keys and
   % pgp -ks someuser@some.tld
   to sign them.

7. For each key you signed, extract the key into an ASCII-armored file (see the registration page for directions), encrypt the file with the key, and e-mail the result to the address associated with the key. This means that your signature will "count" (become world-visible) only if somebody with access to that mailbox also has access to the private key. This generally indicates that the person you saw really owns that e-mail address.

   If you are confident that the person you saw owns the e-mail address, you may instead choose to post your signatures to the global key database (it's easier).

   • If you use GPG:
     % gpg --keyserver pgpkeys.mit.edu --send-keys email1@1.1 email2@2.2
     Note that if you do not specify a list of keys, --send-keys will upload all keys on your key ring. This may well not be what you want.
   • If you use PGP, you may be able to upload a key with
     % pgp -kxa email1@1.1 http://pgpkeys.mit.edu
     If that doesn't work, you can extract each key into a file and submit them manually at the MIT key server.

Acknowledgements

The event organizers would like to thank SCS Facilities for the rapid turnaround time on the loan and deployment of FACLOAN14.FAC.CS.CMU.EDU, our temporary key server.

The key-server software, Marc Horowitz's pks, was very easy to install.

This text of this guide was based on directions used by Ted Ts'o and Jeff Hutzelman at IETF key-signing events.