David A. Harding
Saturday, 01 Jul 2006
On 14 June 2007, I organised a keysigning party a LUG/IP. 22 people sent me their public GPG keys and 20 of them showed up. I mostly followed the instructgions on the flyer I published prior to the event. There was one hitch—entirely my fault—I neglected to instruct participants to verify their digital fingerprints prior to the keysigning party. Luckily, most people verified their digitial fingerprints anyway and I was able to create an ad hoc procedure for post defacto verification.
The identity checking portion of the keysigning took 5 minutes longer than I anticipated: 25 minutes for 20 people. I called out, ``shift to your right'' every minute or so. In retrospect, I think I could have instructed everyone to shift to the right at their own pace. We would've finished sooner and I wouldn't have felt so awkward.
After the keysigning, I sent an email to all the participants. I added all of them to 1 big Bcc: line and my Internet Service Providor (ISP), cruely, silently dropped the email. The next morning I discovered no one received the email, and I used my bulk-emailing script to resend the email.
About half of the signed keys came back in the next two days. Another quater came back during that same week. Then I sent an email to everyone who hadn't returned keys asking if they needed help, but most of them still—two weeks after the keysigning party—haven't sent me the signed keys.
I used a script by a member of the Philadelphia Linux User's Group
called, sig2dot and a program from the GraphViz package
called, neato to graph the key relationships:
Click to enlarge
I enjoyed organising and participating in the keysigning party, and I've tenatively scheduled a follow up party for December.