Manoj's Key-Signing Protocol
To allow a potential key-signer know that a person is who she claims to
be, that she has the passphrase of the key to be signed, and she receives
email from at least one email address listed on her key.
- The key could be compromised, and no one aware of it.
- The identifications could be faked.
- Everyone comes to the meeting with 2 picture ID's, at least one of
which is issued by the government.
- Everyone comes with lots and lots of slips of paper containing their
name, email address, and key fingerprint of a key available on a
public server (the alternative is a laptop and floppies, and people
gather public keys on their floppy from other peoples floppies rather
than downloading keys offline from public servers). The name on the
slip must match the name on the picture ID's.
- Everyone has a sheet of paper, and a pen.
- You think up a arbitrary word (call it Secret A), and write it on one
of the slips of paper. On your sheet of paper, you make an entry for
Mr. X, and you write this random word there.
- You ask Mr. X for a random integer (call it secret B). Write it down
on the slip of paper, and hand it to Mr X. On your sheet, write down
that number on the line corresponding to Mr X. (you may want to get
his email too, for reminder)
- Repeat with Mr. Y, and so on.
- Wait for Mr. X to send you encrypted mail containing your secret word
(Secret A), and a new number (Secret C). You look up Mr. X in your
sheet, match the word (Secret A), and get the number he gave you
(Secret B). Write both numbers (the old one on the sheet of paper he
gave you in person (Secret B), and the new one in the email message
(Secret C)) in a mail message, sign, and possibly encrypt with Mr. X's
key. Send it back to Mr. X. This tells Mr. x that:
- You control your secret key,
- you control that email address, and
- You know the secret he gave in person after checking ID's.
- Mr. X sends your key back to you, with his signature.
- Look at the picture ID's. Make sure the names match.
- Think up a random integer (Secret B), and tell it to the person
requesting the signature.
- Make sure you have a slip containing the name, email address, random
number you generated, and a secret word that the person has created
(Secret A). Check the name against the picture ID's.
- Obtain the public key for that person (either from public servers, or
a physical copy on a floppy, or whatever).
- Check to see if the fingerprint matches. Check to see that the ID has
the same name as found on the picture ID's you saw. Make sure the
email addresses match.
- Create another random integer (Secret D), different from the one you
gave that person before (Secret B). Send a mail message, containing the
secret word that the person gave you (Secret A), the new number you
generated (Secret D), encrypted with the key you just obtained, sent
to the email address in the key.
- If you get a reply that contains both the old (Secret B) and the new
(Secret D) numbers, and is signed by the key you are supposed to sign,
everything checks out. The person:
- controls the secret key,
- is present at that address, and
- knows the secret you gave in person after checking ID's.
- Sign the key, and mail it to the email address you have been using.
When both parties want to sign each others key.
- Look at each others picture ID's. Make sure the names match.
- You should think up a random integer (Secret A), and tell it to the
other person.
- Make sure you have a slip containing the name, email address, random
number you generated (Secret A), and a secret word that the person has
created (Secret B). Check the name against the picture ID's.
- Obtain the public key for that person (either from public servers, or
a physical copy on a floppy, or whatever).
- Check to see if the fingerprint matches. Check to see that the ID has
the same name as found on the picture ID's you saw. Make sure the
email addresses match.
- Create another random integer (Secret C), different from the one you
gave that person before (Secret A). Send a mail message, containing the
secret word that the person gave you (Secret B), the new number you
generated (Secret C), encrypted with the key you just obtained, sent
to the email address in the key.
- The second party should now create a new random number, (Secret D),
and send back the number you gave them (Secret A), the new number you
created (Secret C), and the new random number they generated (Secret
D), signed by their key, and encrypted by your key, sent to your email
addresses.
- If you get this reply that contains both the old (Secret B) and the
new (Secret C) numbers, and is signed by the key you are supposed to
sign, everything checks out. The person:
- controls the secret key,
- is present at that address, and
- knows the secret you gave in person after checking ID's.
- You should then reply to the person, sending in the new secret they
sent you (Secret D). This shall verify to the other person that you,
in turn:
- control your secret key,
- control that email address, and
- know the secret he gave in person after checking ID's.
- Sign the key, and mail it to the email address you have been using.
Addendum
There are potentially four secrets involved, two exchanged in the face to
face meeting, a third created in the first email, and potentially a second
created in the acknowledgment. This is anal retentive (not a bad thing in
security, really), but it ensures (to a reasonable degree) that the person
whose ID you checked does indeed control the email address, and can indeed
use the private key corresponding to the public key you are signing.
This may be more work than is generally done, but is more secure than most
ad hoc key signing sessions I have attended ;-)
I generally ask for two forms of ID, but even that is not perfect (nothing
is).
I think you are missing something. See, I meet John Smith. He shows me
photo-ID. He gives me fingerprint of his public key. I download key
from key server, and check the finger print. I check the ID matches the photo
ID's I saw. I sign just that ID. Now tell me again, how short of forging two
picture ID's, there is a flaw in this.
The above is Manoj's Protocol. I formatted it from an email that I
received. I am soley responsible for any typographical, procedural, spelling,
formatting or other errors that may have occured in the translation.
This comes with no warranty, expressed, implied, stated, or hinted at. This
is not a product, but a procedure. You may use it, and spread it. If you
improve upon it, please let myself and/or Manoj know.
Author: John H. Robinson, IV <jaqque@debian.org>
Date: Thu, 22 Mar 2001 16:53:00 -0800
I write valid HTML.