Manoj's Key-Signing Protocol

Table of Contents

Purpose

To allow a potential key-signer know that a person is who he claims to be, that he has the passphrase of the key to be signed, and he receives email from at least one email address listed on his key.

Weaknesses

Protocol

Preliminary Steps

  1. Everyone comes to the meeting with 2 picture ID's, at least one of which is issued by the government.
  2. Everyone comes with lots and lots of slips of paper containing their name, email address, and key fingerprint of a key available on a public server (the alternative is a laptop and floppies, and people gather public keys on their floppy from other peoples floppies rather than downloading keys offline from public servers). The name on the slip must match the name on the picture ID's.
  3. Everyone has a sheet of paper, and a pen.

To Have Your Key Signed

  1. You think up a arbitrary word (call it Secret A), and write it on one of the slips of paper. On your sheet of paper, you make an entry for Mr. X, and you write this random word there.
  2. You ask Mr. X for a random integer (call it secret B). Write it down on the slip of paper, and hand it to Mr X. On your sheet, write down that number on the line corresponding to Mr X. (you may want to get his email too, for reminder)
  3. Repeat with Mr. Y, and so on.
  4. Wait for Mr. X to send you encrypted mail containing your secret word (Secret A), and a new number (Secret C). You look up Mr. X in your sheet, match the word (Secret A), and get the number he gave you (Secret B). Write both numbers (the old one on the sheet of paper he gave you in person (Secret B), and the new one in the email message (Secret C)) in a mail message, sign, and possibly encrypt with Mr. X's key. Send it back to Mr. X. This tells Mr. x that:
  5. Mr. X sends your key back to you, with his signature.

To Sign Another Key

  1. Look at the picture ID's. Make sure the names match.
  2. Think up a random integer (Secret B), and tell it to the person requesting the signature.
  3. Make sure you have a slip containing the name, email address, random number you generated, and a secret word that the person has created (Secret A). Check the name against the picture ID's.
  4. Obtain the public key for that person (either from public servers, or a physical copy on a floppy, or whatever).
  5. Check to see if the fingerprint matches. Check to see that the ID has the same name as found on the picture ID's you saw. Make sure the email addresses match.
  6. Create another random integer (Secret D), different from the one you gave that person before (Secret B). Send a mail message, containing the secret word that the person gave you (Secret A), the new number you generated (Secret D), encrypted with the key you just obtained, sent to the email address in the key.
  7. If you get a reply that contains both the old (Secret B) and the new (Secret D) numbers, and is signed by the key you are supposed to sign, everything checks out. The person:
  8. Sign the key, and mail it to the email address you have been using.

Double Key-Signing

When both parties want to sign each others key.
  1. Look at each others picture ID's. Make sure the names match.
  2. You should think up a random integer (Secret A), and tell it to the other person.
  3. Make sure you have a slip containing the name, email address, random number you generated (Secret A), and a secret word that the person has created (Secret B). Check the name against the picture ID's.
  4. Obtain the public key for that person (either from public servers, or a physical copy on a floppy, or whatever).
  5. Check to see if the fingerprint matches. Check to see that the ID has the same name as found on the picture ID's you saw. Make sure the email addresses match.
  6. Create another random integer (Secret C), different from the one you gave that person before (Secret A). Send a mail message, containing the secret word that the person gave you (Secret B), the new number you generated (Secret C), encrypted with the key you just obtained, sent to the email address in the key.
  7. The second party should now create a new random number, (Secret D), and send back the number you gave them (Secret A), the new number you created (Secret C), and the new random number they generated (Secret D), signed by their key, and encrypted by your key, sent to your email addresses.
  8. If you get this reply that contains both the old (Secret B) and the new (Secret C) numbers, and is signed by the key you are supposed to sign, everything checks out. The person:
  9. You should then reply to the person, sending in the new secret they sent you (Secret D). This shall verify to the other person that you, in turn:
  10. Sign the key, and mail it to the email address you have been using.

Addendum

There are potentially four secrets involved, two exchanged in the face to face meeting, a third created in the first email, and potentially a second created in the acknowledgment. This is anal retentive (not a bad thing in security, really), but it ensures (to a reasonable degree) that the person whose ID you checked does indeed control the email address, and can indeed use the private key corresponding to the public key you are signing.

This may be more work than is generally done, but is more secure than most ad hoc key signing sessions I have attended ;-)

I generally ask for two forms of ID, but even that is not perfect (nothing is).

I think you are missing something. See, I meet John Smith. He shows me photo-ID. He gives me fingerprint of his public key. I download key from key server, and check the finger print. I check the ID matches the photo ID's I saw. I sign just that ID. Now tell me again, how short of forging two picture ID's, there is a flaw in this.

Notes

The above is Manoj's Protocol. I formatted it from an email that I received. I am solely responsible for any typographical, procedural, spelling, formatting or other errors that may have occurred in the translation.

This comes with no warranty, expressed, implied, stated, or hinted at. This is not a product, but a procedure. You may use it, and spread it. If you improve upon it, please let myself and/or Manoj know.

Variation

Below is a variation of the protocol that meets all of the purposes without having to send multiple emails back and forth.

At the meeting, you verify Mr. X's identification (picture matches face, name on ID matches name on key) and get his key's fingerprint(s). Once you get home, you verify that the fingerprint(s) Mr. X gave you matches the fingerprint(s) of his public key(s).

For each UID with an email address, you sign with each of your private keys that you wish to use. You then take that key, export it, and encrypt it to the public key that you just signed. You take that newly signed and encrypted key, and send it to the email of the UID that you just signed.

You are done. It is now up to Mr. X to receive it (thus validating the email address), decrypt it (thus validating that he has control of the secret key), and upload it to keyservers worldwide.

Using this method, it is very important to only sign the UID's that match the email address you are going to send out. This means if the key has multiple email addresses on it, which is quite common, you must start with a clean key for each new email address/UID that you wish to sign.

Personally, I use a temporary public keyring to hold Mr. X's key, then destroy the keyring and all signed keys after sending out the emails. This way, if I ever upload up my keyring to a keyserver, no unverified signed keys will escape. I wrote a simple script to assist with this procedure, and you may have a copy of it: keysign.sh

Author: John H. Robinson, IV <jaqque@debian.org>
$Id: keysign.html,v 1.3 2003/07/24 05:35:24 jaqque Exp $

Valid HTML 2.0!
I write valid HTML.