Brussels / 31 January & 1 February 2015


Two decades later - Signing OpenPGP keys in the 2000s

Presenting GNOME Keysign

This presentation shows a novel approach to signing keys which makes it easy to sign a person's key. It enables very small groups of people to casually hold very small key signing parties. The key idea is to automatically authenticate the key material before the transfer via a secure audible or visual channel. A Free Software implementation of the protocol will be shown and people are invited to sign their keys :-)

The Web of Trust is the decentralised PKI in the OpenPGP world. It depends on people participating by signing other people's keys. However, when following best practises, the act of signing a key involves secure transfer of the OpenPGP key which contemporary casual key signing protocols for small groups address by exchanging the fingerprint of the key to be signed. The key will then be downloaded over an untrusted channel and the key obtained needs to be manually verified.

The presented solution was designed with Ellison's Law in mind, which states that ``the userbase for strong cryptography declines by half with every additional keystroke or mouseclick required to make it work''. It tries to make it as easy as possible to sign another person's key while not compromising security. Contemporary key signing protocols were designed in the late 90s with big key signing party gatherings in mind. The setup cost of such an event are prohibitively high for a small group of people. Because we have arrived in the new millennium, mobile computing devices, link-local networks, cameras, and QR codes exist. It is time for us to leverage these technologies to strengthen the Web of Trust without having to mumble hexadecimal strings.


Tobias Mueller