PGP stands for Pretty Good Privacy, computer software that can protect the contents of messages, text, and files. It is considered a highly effective form of information security, and was used by Edward Snowden in 2012 to send classified documents from the NSA to journalist Glenn Greenwald.
PGP software was originally developed by Phil Zimmermann in 1991. Soon after its release Zimmermann became the target of a three-year criminal investigation in the U.S. for allegedly making PGP available overseas. At that time the export of strong cryptographic systems like PGP required a license and was subject to U.S. arms trafficking controls. In his defense Zimmermann challenged the regulations by publishing PGP’s source code in a book widely distributed by MIT Press, then claiming constitutional protection that would establish the source code for cryptographic software as freedom of speech. The criminal investigation against Zimmermann was subsequently dropped. In two separate but similar cases dating from the same time, U.S. courts have ruled that software source code is speech protected by the First Amendment of the U.S. Constitution.
Still, despite these legal precedents and notwithstanding growing protest against mass data collection and surveillance by governments and corporations around the world, PGP is considered too difficult for the average citizen to use. The technology at the heart of PGP — public key encryption, is still considered a subject for hackers and nerds, even while it becomes more widespread and more valuable every day. In fact, public key encryption is a cornerstone of Bitcoin and other cryptocurrencies, and the race is on to develop cryptographic applications that are friendlier and easier for anyone to use.
Digital rights foundations like the EFF in the U.S. or Bits of Freedom in The Netherlands regularly conduct educational campaigns to encourage the use of PGP. Bitcoin Wednesday and The Dutch Bitcoin Foundation support a wider understanding and use of public key cryptography in The Netherlands as critical to the digital currency revolution. We have therefore invited Bits of Freedom sponsor and activist Rob van der Wouw to give a short presentation about the basics of key signing on Bitcoin Wednesday’s conference on 5 August 2015, followed by a short demonstration of how it is done. After the public demo Rob will be on hand to supervise a live key signing, giving Bitcoin Wednesday members the opportunity to meet, verify each other’s online identities as well as their corresponding public keys. Anyone who is interested in improving their basic understanding of public key cryptography and, in fact, knowing a little more about how Bitcoin works, will enjoy Rob’s presentation.
What is PGP?
PGP is a set of tools that allows you to encrypt your email communication as well as other types of messages, text and files in a very safe way.
What is the concept behind key signing?
PGP keys are used to communicate safely with other people. But how do you know if the PGP key you have from someone can be trusted? If you do not know for sure that a PGP public key really belongs to the person you are sending your encrypted email to, you will never no for sure if that person is actually the only one capable of reading your message. The other way around: if you receive an email from a person that is signed with his or hers PGP signature, how do you know for sure that the signature really is coming from that person?
This is where the concept of “key signing” comes into play. Unless you have received a PGP public key from someone in person, verified its public key fingerprint immediately and you really know that that person is who he/she claims to be, you have to rely on other ways to become confident in the authenticity of a persons public PGP key. When someone signs a PGP public key from someone else, he or she expresses the belief that the public key is authentic and that the mail address of that person and their name are what they seem to be.
To increase the trust you can have in a specific public key, you either have to verify that key in person yourself or you can rely on others who have gone through this process already. When a lot of people sign your public key, all those people are vouching for its authenticity. Going into detail on trust levels and key validities is again out of scope of this invitation. If you want to know more about it, please read this really good introduction.
Bottom line: when your public key is signed by a lot of people, your key becomes more trustworthy. A great way to receive new signatures on your public key is to attend a PGP Key Signing Party (a KSP). At a KSP you can meet other people who have, just like you, signed up to be at this party and who are serious in their approach to encryption. You do not need to know these people in person, but you will need to make an effort during the party to verify these people’s identities and corresponding PGP public keys.
By hosting key signings Bitcoin Wednesday can help strengthen the network of trusted keys in the Dutch digital currency sector.
How will the key signing work?
The KSP has three phases: (1) the introduction, (2) the event, and (3) the day after.
1. If you want to participate in this party you need to have PGP installed on your computer, created your PGP keys, uploaded your PGP public key to a public key server and finally integrated it in your favorite mail program. It is beyond the scope of this invitation to include a tutorial on this subject. Again, for Dutch readers, the Toolbox site from Bits of Freedom provides excellent tutorials on how to install and configure PGP on your favorite operating system. For readers of other languages, use your search engine of choice to find appropriate guides to PGP in your preferred language.
2. At the event itself, you can leave your computer at home, but please bring a pen. It is recommended but not required that you also have two government-issued IDs such as a passport, driver’s license or ID card with you. Each participant in the signing decides individually when and to whom he will show a proof of ID and whether he or she wants to sign someone else’s key. At the start of the key signing, Rob will project the public key fingerprints of all participants on a large screen and ask every individual to personally check their own fingerprint and announce that it is correct. He will then supervise the event so that all participants will have the opportunity to verify eachother’s public key fingerprints and identities.
3. The next day you will receive instructions so you can digitally sign all the public keys that you have verified and mail the owners of those keys their public keys with your signature on them. They will do the same, and in a couple of days you will have received a number of mails with new signatures for your public key. You import these signatures to you own public key and, when you think have received them all, you can publish your public key with all the brand new signatures on them to a public key server, which concludes the process.
For each of these steps Rob will provide more detailled instructions. Linux (Debian-based) users will have an advantage, since there is software available to assist you in this process. Apple Mac OS-X and Windows users will have to perform some of the tasks more manually.
Do I really need to bring two government issued IDs?
No, showing your identification to anyone at this event is strictly optional. It is completely up to the other participants to decide if they are willing to validate your identity and sign your key based on the information you do or do not provide. At the same time, it is up to you whether or not you want to sign someone else’s public key.
Two IDs is only suggested because traditionally it minimizes the risk of identity fraud. While you cannot expect the other KSP attendees to know how to check if a photo ID is actually a real one and not a fake, you can increase your credibility if you can show more than one ID. Some people are not interested in your real life identity at all. They only want to make sure that the public key they have from you is correct, which is something that can be checked by its fingerprint alone. These individuals are usually people you already know somehow.
How do I validate that a person matches his or her official ID document?
Each participant decides his or her own signing policy. Don’t bother if someone else comes to a different decision than you whether to trust someone’s ID or validate someone’s identity or not. Some people have stronger requirements than others. As a rule of thumb, do not only check the photo of the ID, but also the name of the person. Data on the ID can vary widely depending on the type of ID and the issuing country, so it’s completely at your own discretion which data you want to check.
Some data that can be checked on an ID can include:
- Date of bith
- Eye color
- Expiration date
If you really want to be prepared, you can search the web for the security features of the diverse official government-issued documents.
Can I use a pseudonym instead of my real name?
Most people are not willing to sign a pseudonym. The point of signing is that you testify that a person is who he or she claims to be, and that is difficult to prove for pseudonyms. Therefore, if your pseudonym is not listed on your government issued ID (like it’s possible in Germany for artists and clerics), it’s unlikely that your key will be signed.