-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Efficient Group Key Signing Method Revision 1.2 Document Author: Len Sassaman Based on primary ideas by: Phil Zimmermann, Werner Koch, and Len Sassaman __ In order to make key signing parties run more efficiently, we propose a new method of doing mass fingerprint verification. __ 1. Participants in the key signing submit their keys to the signing organizer, with unnecessary signatures and user-ids trimmed off. Participants may be required to sign their submission message in order to prove ownership of their key. 2. The signing organizer compiles the key information (including the key fingerprint, user-id, key-id, and key size) in a text file and makes it publicly available. Keys should be numbered sequentially, and multiple keys by the same owner should be grouped together. 3. The signing organizer takes the MD5 or SHA-1 hash of the text file, and brings this to the key signing. The hash information should also be posted publicly for sanity checking purposes. (Different text file formats will result in different hashes, due to line ending variations.) 4. Each person wishing to sign the keys on this paper obtains the text file from its public location, and independently obtains the MD5 or SHA-1 checksum. On most Unix systems, the program md5sum is available. Alternatively, GnuPG can be used to determine the hash output. Syntax is: "gpg --print-md md5 filename" "gpg --print-md sha1 filename" 5. Participants bring a hard copy of this text file, and a copy of the MD5 or SHA-1 checksum, to the key signing. Participants who wish to have their keys signed should verify the fingerprint on the paper against their actual key prior to the event. 6. The checksum output is read aloud to the group. Participants confirm this sum with the independently obtained checksum of the file prior to actually signing any keys. 7. Each person wishing to have his key signed verifies to the group that the fingerprint and key information presented in the text file is indeed the correct information. A simple assertion that "yes, this information is correct" is sufficient. For large groups, the process may be expedited by instructing the attendees to line up according to the number next to their key information. 8. Identity verification is done according to the individual policy of those people signing keys. 9. Participants opting to sign later obtain the public keys (either from the signing organizer, or from a public server) and confirm that the key fingerprints and other information match that reported in the text file. They may then sign the keys. __ The rationale behind this method is that, by placing all the fingerprints in a text file and providing the hash, significant time can be avoided without a decrease in security. Each individual is responsible for making sure his or her fingerprint is correctly reported, and every person signing is guaranteed to have identical fingerprint lists. We expect this method to reduce the time involved in actual key signing parties by half. Thanks to Peter Wan, Randy Harmon, Patrick Feisthammel, Robyn Wagner, Rodney Thayer, David Stoler, John Kane, Lucky Green, the attendees of the First PGP Keyserver Manager Symposium, and many others for their help in fine-tuning this process. -----BEGIN PGP SIGNATURE----- Comment: Signed with an RSA v4 key. iQIVAwUBPLYDyEoKgUld5ID8AQMuiw/9GMd7U866dB0Ah+PPxFf0eDGTKwUH5l73 2m3QEre3y76ctfA3auZNqHQYl2qhvkVbNKQ5Jq+cRxyZTXb5qtQ/x0BzsRvZcCKy fha++uGx3X2VPfXxYAUnzDZtpjMw6lcMr0CDa742eM4Kn1EBgYYU8ISNa0w9Rqtx 4p5PvQHHkKRMefsAKkkG29+4ZUf/mUdiQpxcQ9ibX1l4MHcrOn6LnK80TvZIY8N0 jFOxtoOEH0hvRgGmoFpeF3Z2ami7hecu5NtOkEfYUHIMgVw+LBmXaZ/Y2ToLRpcO oZkluNmoz1c5oRoByw6mRBWWYwADbkVUYKQmK5l078SVsPTrV453Cva7v+ftbzP3 9qww3Q8eFQ5RVukw/qKPk7+yemGi5az+822DYWc5Nlbtqo7a+JzhyVYaukNdbpYh ncpLakJJvcSBzHsGpghHVuOvCOFlbqFsnsdllnUNbCe8hzejA8Qscm3Px/bui+8S UrSiwrmW3m2JoaFM5z0UEDbNRPM8IXRFkWLNqqnUiijOgB5RrhoEA7xIg6f+hFZS HOD7Ueh+0u6ENH4PvSkrbq4CZVg21Obzdy2NvIhIeSpiNXJM790590VkcU9kvR48 IKgsTBI0ijMY1a/I9InoI0PbASRMPmvwA0FiyuHknHkp9BrjEi1LYp4x7xd3rTxG OSk1PlwnKIQ= =/f7c -----END PGP SIGNATURE-----