Manoj's Key-Signing Protocol

Table of Contents

Purpose

To allow a potential key-signer know that a person is who she claims to be, that she has the passphrase of the key to be signed, and she receives email from at least one email address listed on her key.

Weaknesses

Protocol

Preliminary Steps

  1. Everyone comes to the meeting with 2 picture ID's, at least one of which is issued by the government.
  2. Everyone comes with lots and lots of slips of paper containing their name, email address, and key fingerprint of a key available on a public server (the alternative is a laptop and floppies, and people gather public keys on their floppy from other peoples floppies rather than downloading keys offline from public servers). The name on the slip must match the name on the picture ID's.
  3. Everyone has a sheet of paper, and a pen.

To Have Your Key Signed

  1. You think up a arbitrary word (call it Secret A), and write it on one of the slips of paper. On your sheet of paper, you make an entry for Mr. X, and you write this random word there.
  2. You ask Mr. X for a random integer (call it secret B). Write it down on the slip of paper, and hand it to Mr X. On your sheet, write down that number on the line corresponding to Mr X. (you may want to get his email too, for reminder)
  3. Repeat with Mr. Y, and so on.
  4. Wait for Mr. X to send you encrypted mail containing your secret word (Secret A), and a new number (Secret C). You look up Mr. X in your sheet, match the word (Secret A), and get the number he gave you (Secret B). Write both numbers (the old one on the sheet of paper he gave you in person (Secret B), and the new one in the email message (Secret C)) in a mail message, sign, and possibly encrypt with Mr. X's key. Send it back to Mr. X. This tells Mr. x that:
  5. Mr. X sends your key back to you, with his signature.

To Sign Another Key

  1. Look at the picture ID's. Make sure the names match.
  2. Think up a random integer (Secret B), and tell it to the person requesting the signature.
  3. Make sure you have a slip containing the name, email address, random number you generated, and a secret word that the person has created (Secret A). Check the name against the picture ID's.
  4. Obtain the public key for that person (either from public servers, or a physical copy on a floppy, or whatever).
  5. Check to see if the fingerprint matches. Check to see that the ID has the same name as found on the picture ID's you saw. Make sure the email addresses match.
  6. Create another random integer (Secret D), different from the one you gave that person before (Secret B). Send a mail message, containing the secret word that the person gave you (Secret A), the new number you generated (Secret D), encrypted with the key you just obtained, sent to the email address in the key.
  7. If you get a reply that contains both the old (Secret B) and the new (Secret D) numbers, and is signed by the key you are supposed to sign, everything checks out. The person:
  8. Sign the key, and mail it to the email address you have been using.

Double Key-Signing

When both parties want to sign each others key.
  1. Look at each others picture ID's. Make sure the names match.
  2. You should think up a random integer (Secret A), and tell it to the other person.
  3. Make sure you have a slip containing the name, email address, random number you generated (Secret A), and a secret word that the person has created (Secret B). Check the name against the picture ID's.
  4. Obtain the public key for that person (either from public servers, or a physical copy on a floppy, or whatever).
  5. Check to see if the fingerprint matches. Check to see that the ID has the same name as found on the picture ID's you saw. Make sure the email addresses match.
  6. Create another random integer (Secret C), different from the one you gave that person before (Secret A). Send a mail message, containing the secret word that the person gave you (Secret B), the new number you generated (Secret C), encrypted with the key you just obtained, sent to the email address in the key.
  7. The second party should now create a new random number, (Secret D), and send back the number you gave them (Secret A), the new number you created (Secret C), and the new random number they generated (Secret D), signed by their key, and encrypted by your key, sent to your email addresses.
  8. If you get this reply that contains both the old (Secret B) and the new (Secret C) numbers, and is signed by the key you are supposed to sign, everything checks out. The person:
  9. You should then reply to the person, sending in the new secret they sent you (Secret D). This shall verify to the other person that you, in turn:
  10. Sign the key, and mail it to the email address you have been using.

Addendum

There are potentially four secrets involved, two exchanged in the face to face meeting, a third created in the first email, and potentially a second created in the acknowledgment. This is anal retentive (not a bad thing in security, really), but it ensures (to a reasonable degree) that the person whose ID you checked does indeed control the email address, and can indeed use the private key corresponding to the public key you are signing.

This may be more work than is generally done, but is more secure than most ad hoc key signing sessions I have attended ;-)

I generally ask for two forms of ID, but even that is not perfect (nothing is).

I think you are missing something. See, I meet John Smith. He shows me photo-ID. He gives me fingerprint of his public key. I download key from key server, and check the finger print. I check the ID matches the photo ID's I saw. I sign just that ID. Now tell me again, how short of forging two picture ID's, there is a flaw in this.

Notes

The above is Manoj's Protocol. I formatted it from an email that I received. I am soley responsible for any typographical, procedural, spelling, formatting or other errors that may have occured in the translation.

This comes with no warranty, expressed, implied, stated, or hinted at. This is not a product, but a procedure. You may use it, and spread it. If you improve upon it, please let myself and/or Manoj know.


Author: John H. Robinson, IV <jaqque@debian.org>
Date: Thu, 22 Mar 2001 16:53:00 -0800

Valid HTML 2.0!
I write valid HTML.