zimmermann-sassaman-protocol

Efficient Group Key Signing Method
Revision 1.2

Document Author: Len Sassaman
Based on primary ideas by: Phil Zimmermann, Werner Koch, and Len Sassaman

In order to make key signing parties run more efficiently, we propose a new method of doing mass fingerprint verification.

1. Participants in the key signing submit their keys to the signing organizer, with unnecessary signatures and user-ids trimmed off. Participants may be required to sign their submission message in order to prove ownership of their key.

2. The signing organizer compiles the key information (including the key fingerprint, user-id, key-id, and key size) in a text file and makes it publicly available. Keys should be numbered sequentially, and multiple keys by the same owner should be grouped together.

3. The signing organizer takes the MD5 or SHA-1 hash of the text file, and brings this to the key signing. The hash information should also be posted publicly for sanity checking purposes. (Different text file formats will result in different hashes, due to line ending variations.)

4. Each person wishing to sign the keys on this paper obtains the text file from its public location, and independently obtains the MD5 or SHA-1 checksum.

On most Unix systems, the program md5sum is available. Alternatively, GnuPG can be used to determine the hash output. Syntax is:

"gpg --print-md md5 filename"
gpg --print-md sha1 filename"

5. Participants bring a hard copy of this text file, and a copy of the MD5 or SHA-1 checksum, to the key signing. Participants who wish to have their keys signed should verify the fingerprint on the paper against their actual key prior to the event.

6. The checksum output is read aloud to the group. Participants confirm this sum with the independently obtained checksum of the file prior to actually signing any keys.

7. Each person wishing to have his key signed verifies to the group that the fingerprint and key information presented in the text file is indeed the correct information. A simple assertion that "yes, this information is correct" is sufficient.

For large groups, the process may be expedited by instructing the attendees to line up according to the number next to their key information.

8. Identity verification is done according to the individual policy of those people signing keys.

9. Participants opting to sign later obtain the public keys (either from the signing organizer, or from a public server) and confirm that the key fingerprints and other information match that reported in the text file. They may then sign the keys.

The rationale behind this method is that, by placing all the fingerprints in a text file and providing the hash, significant time can be avoided without a decrease in security. Each individual is responsible for making sure his or her fingerprint is correctly reported, and every person signing is guaranteed to have identical fingerprint lists. We expect this method to reduce the time involved in actual key signing parties by half.

Thanks to Peter Wan, Randy Harmon, Patrick Feisthammel, Robyn Wagner, Rodney Thayer, David Stoler, John Kane, Lucky Green, the attendees of the First PGP Keyserver Manager Symposium, and many others for their help in fine-tuning this process.