Manoj's Key-Signing Protocol
To allow a potential key-signer know that a person is who he claims to
be, that he has the passphrase of the key to be signed, and he receives
email from at least one email address listed on his key.
- The key could be compromised, and no one aware of it.
- The identifications could be faked.
- Everyone comes to the meeting with 2 picture ID's, at least one of
which is issued by the government.
- Everyone comes with lots and lots of slips of paper containing their
name, email address, and key fingerprint of a key available on a
public server (the alternative is a laptop and floppies, and people
gather public keys on their floppy from other peoples floppies rather
than downloading keys offline from public servers). The name on the
slip must match the name on the picture ID's.
- Everyone has a sheet of paper, and a pen.
- You think up a arbitrary word (call it Secret A), and write it on one
of the slips of paper. On your sheet of paper, you make an entry for
Mr. X, and you write this random word there.
- You ask Mr. X for a random integer (call it secret B). Write it down
on the slip of paper, and hand it to Mr X. On your sheet, write down
that number on the line corresponding to Mr X. (you may want to get
his email too, for reminder)
- Repeat with Mr. Y, and so on.
- Wait for Mr. X to send you encrypted mail containing your secret word
(Secret A), and a new number (Secret C). You look up Mr. X in your
sheet, match the word (Secret A), and get the number he gave you
(Secret B). Write both numbers (the old one on the sheet of paper he
gave you in person (Secret B), and the new one in the email message
(Secret C)) in a mail message, sign, and possibly encrypt with Mr. X's
key. Send it back to Mr. X. This tells Mr. x that:
- You control your secret key,
- you control that email address, and
- You know the secret he gave in person after checking ID's.
- Mr. X sends your key back to you, with his signature.
- Look at the picture ID's. Make sure the names match.
- Think up a random integer (Secret B), and tell it to the person
requesting the signature.
- Make sure you have a slip containing the name, email address, random
number you generated, and a secret word that the person has created
(Secret A). Check the name against the picture ID's.
- Obtain the public key for that person (either from public servers, or
a physical copy on a floppy, or whatever).
- Check to see if the fingerprint matches. Check to see that the ID has
the same name as found on the picture ID's you saw. Make sure the
email addresses match.
- Create another random integer (Secret D), different from the one you
gave that person before (Secret B). Send a mail message, containing the
secret word that the person gave you (Secret A), the new number you
generated (Secret D), encrypted with the key you just obtained, sent
to the email address in the key.
- If you get a reply that contains both the old (Secret B) and the new
(Secret D) numbers, and is signed by the key you are supposed to sign,
everything checks out. The person:
- controls the secret key,
- is present at that address, and
- knows the secret you gave in person after checking ID's.
- Sign the key, and mail it to the email address you have been using.
When both parties want to sign each others key.
- Look at each others picture ID's. Make sure the names match.
- You should think up a random integer (Secret A), and tell it to the
other person.
- Make sure you have a slip containing the name, email address, random
number you generated (Secret A), and a secret word that the person has
created (Secret B). Check the name against the picture ID's.
- Obtain the public key for that person (either from public servers, or
a physical copy on a floppy, or whatever).
- Check to see if the fingerprint matches. Check to see that the ID has
the same name as found on the picture ID's you saw. Make sure the
email addresses match.
- Create another random integer (Secret C), different from the one you
gave that person before (Secret A). Send a mail message, containing the
secret word that the person gave you (Secret B), the new number you
generated (Secret C), encrypted with the key you just obtained, sent
to the email address in the key.
- The second party should now create a new random number, (Secret D),
and send back the number you gave them (Secret A), the new number you
created (Secret C), and the new random number they generated (Secret
D), signed by their key, and encrypted by your key, sent to your email
addresses.
- If you get this reply that contains both the old (Secret B) and the
new (Secret C) numbers, and is signed by the key you are supposed to
sign, everything checks out. The person:
- controls the secret key,
- is present at that address, and
- knows the secret you gave in person after checking ID's.
- You should then reply to the person, sending in the new secret they
sent you (Secret D). This shall verify to the other person that you,
in turn:
- control your secret key,
- control that email address, and
- know the secret he gave in person after checking ID's.
- Sign the key, and mail it to the email address you have been using.
Addendum
There are potentially four secrets involved, two exchanged in the face to
face meeting, a third created in the first email, and potentially a second
created in the acknowledgment. This is anal retentive (not a bad thing in
security, really), but it ensures (to a reasonable degree) that the person
whose ID you checked does indeed control the email address, and can indeed
use the private key corresponding to the public key you are signing.
This may be more work than is generally done, but is more secure than most
ad hoc key signing sessions I have attended ;-)
I generally ask for two forms of ID, but even that is not perfect (nothing
is).
I think you are missing something. See, I meet John Smith. He shows me
photo-ID. He gives me fingerprint of his public key. I download key
from key server, and check the finger print. I check the ID matches the photo
ID's I saw. I sign just that ID. Now tell me again, how short of forging two
picture ID's, there is a flaw in this.
The above is Manoj's Protocol. I formatted it from an email that I
received. I am solely responsible for any typographical, procedural, spelling,
formatting or other errors that may have occurred in the translation.
This comes with no warranty, expressed, implied, stated, or hinted at. This
is not a product, but a procedure. You may use it, and spread it. If you
improve upon it, please let myself and/or Manoj know.
Below is a variation of the protocol that meets all of the purposes
without having to send multiple emails back and forth.
At the meeting, you verify Mr. X's identification (picture matches face,
name on ID matches name on key) and get his key's fingerprint(s). Once you
get home, you verify that the fingerprint(s) Mr. X gave you matches the
fingerprint(s) of his public key(s).
For each UID with an email address, you sign with each of your private
keys that you wish to use. You then take that key, export it, and encrypt
it to the public key that you just signed. You take that newly signed and
encrypted key, and send it to the email of the UID that you just signed.
You are done. It is now up to Mr. X to receive it (thus validating the
email address), decrypt it (thus validating that he has control of the
secret key), and upload it to keyservers worldwide.
Using this method, it is very important to only sign the UID's that match
the email address you are going to send out. This means if the key has
multiple email addresses on it, which is quite common, you must start with a
clean key for each new email address/UID that you wish to sign.
Personally, I use a temporary public keyring to hold Mr. X's key, then
destroy the keyring and all signed keys after sending out the emails. This
way, if I ever upload up my keyring to a keyserver, no unverified signed keys
will escape. I wrote a simple script to assist with this procedure, and you
may have a copy of it: keysign.sh
Author: John H. Robinson, IV <jaqque@debian.org>
$Id: keysign.html,v 1.3 2003/07/24 05:35:24 jaqque Exp $
I write valid HTML.