Keysigning Party, Web Of Trust, PGP? What’s that all about?
by The_Code on Sep.01, 2011, under openSUSE
As announced in my previous post there will again be a keysigning party at the openSUSE conference 2011. As time flies by and I have yet only received very few keys, I thought it might be a good idea to talk a little bit about what this whole thing is about and why you should participate.
What is a PGP Key?
Well let’s start with the basics. I could now start and explain in all details what a PGP key is and what PGP is, if you want to know please visit wikipedia no need to repeat everything that was written there. But let’s start with a rough overview about this. PGP relies on public-key cryptography which use two types of keys, public and private, the heart of public-key cryptography are one way functions which are designed to make it almost impossible to create a private key out of the public key and the other way.
So when you generate a PGP key pair (most likely using gpg --gen-key ) you are actually creating two keys, a public and a private one. The public key is the one you can distribute (and in fact should 
, it’s not a secret and is “mostly harmless”. The private key should be kept secret and not to be distributed.
What is a PGP Key good for?
If you have published your public key to a keyserver (e.g. hkp://pgp.mit.edu:11371) everybody can access it and can use your public key to send encrypted messages to you. Due to the design of public-key cryptography everybody can use your public keys to send encrypted messages to you and only you can decrypt these messages using your private key. Without the private key the message can not be decrypted, so we do have a secure communication.
In addition to decrypting your private key can also be used to digitally sign messages and these signatures can be validated by everybody using your public key. So we do have a way of authentic communication, do we?
What is the Web Of Trust?
Again wikipedia features an article on the web of trust and I only want to give the most important points. Talking about authentic communication we are not done yet, because I can verify that you have been using the private key matching the public key that I have used, but this does not mean that I can trust that you are really the one you claim to be and this is where the web of trust comes into play and also keysgigning parties.
You can digitally sign keys indicating that you trust the owner of the key, hence you are sure that he is the one he claims to be. Taking the typical Alice and Bob scenario, Alice has meat Bob in person does trust his key, as they have exchanged the key fingerprints…, Bob also trusts Alice’s key. In addition Bob has also meat Carol and Dave and exchanged keys with them and has signed their keys. If Carol would send a digitally signed message to Alice, she would be able to verify the signature but would not trust the key. But as Alice has signed Bob’s key and does trust Bob to only trust people who he really meat, Alice can decide to also trust people who have a signature from Bob, this way Alice would also trust Carol and Dave and we have build a small web of trust.
Why should I participate in a keysigning party?
The fast and straightforward reply to this is: To become a part of the web of trust. This is basically it, you are part of the web of trust and people can identify you as being the one you claim to be without ever meeting you, because somebody they know might have signed your key.
Specifically talking about openSUSE and about the keysigning party at the openSUSE conference, this can be used to build the openSUSE web of trust.
And last but not least it’s great fun and not really a lot that needs to be done!
