![[Pretty colourful graph of the Compsoc Web of Trust]](images/compsoc-weboftrust-20040426.png)
Next keysigning: Michaelmas Term 2005
The next Compsoc PGP keysigning will be held at some time in the Michaelmas Term; details to be confirmed.
Many Compsoc members will be prepared to do ad-hoc individual keysignings at any Compsoc meeting; feel free to bring along the necessary items and ask.
What's a keysigning?
When using public-key ciphers you can be certain that an encrypted message can be read only by the owner of the secret key corresponding to the public key it was encryted with. However, you may not be certain that the key in question really belongs to the person it identifies. Keysigning is a useful way of increasing the security of asymmetric cryptosystems by providing more knowledge about a key's validity and protection against man in the middle attacks. Essentially it involves a group of keyowners verifying each other's identities so that a third party can be more assured that a key does in fact belong to who it seems to. The trust relationships between a set of keys form a "web of trust".
A keysigning party is a get-together with PGP users for the purpose of meeting other PGP users and signing each other's keys. This helps to extend the web of trust to a great degree. Also, it sometimes serves as a forum to discuss strong cryptography and related issues.
What do I need to do?
It's simple really, but the following information should make it absolutely clear.
- Generate a key pair (if you don't use PGP already), send it to a keyserver and send its ID and fingerprint (the output of gpg --fingerprint) to the coordinator (currently: n.g.boalch@durham.ac.uk). [Full instructions for this step]
- Show up to the keysigning, making sure to bring the necessary items with you. At the keysigning you will have an opportunity to check the fingerprint of other participants' keys against a centralised list and to check their identities.
- After the party, sign the other participants' keys (assuming you are happy with their verification of their identity) and upload the signed keys back to a keyserver (don't use www.keyserver.net as it doesn't update other servers). [Full instructions for this step]