The Shoestring Foundation Weblog

Better keysigning automatisms

The common technique for signing large amounts of keys after a key-signing party is to, well, simply sign all keys and mail them to their owners. But this might not the best way. Because if you sign a key, you often sign many uids with different e-mail addresses. If any but one of these don't work you won't notice, because you signed all of them and mailed the result around. Thus your signature certifies that this key belongs to addresses it doesn't really belong to.

To avoid this, Peter Palfrader wrote caff. This Perl script converts keys with many uids to many keys with just one uid each, and signs these. It then encrypts each signed key with itself and sends it to the e-mail address in the uid. This helps to assure that you don't sign uids with e-mail addresses which aren't under the control of the signee. Caff removes other signatures from the keys as well, to make the mails smaller and easier to process.

The script needs the experimental gnupg-1.3.92 (check gnupg-1.3.92.tar.gz.sig) and the Perl module GnuPG::Interface.

Peter Palfrader is the author of caff, I merely added a few features to allow signing with multiple and older keys, and to have caff just save the mails in a folder instead of sending them off at once.

NEWS
Fixed an error in the handling of extensions (e.g. idea).

[/projects] permanent link

The Shoestring Foundation Weblog

	About The Shoestring Foundation Weblog, Miscellaneous Byproducts Matthias Bauer `bauerm (at) shoestringfoundation · org` Subscribe Subscribe to a syndicated feed of my weblog, brought to you by the wonders of RSS.	Fri, 03 Dec 2004 Better keysigning automatisms The common technique for signing large amounts of keys after a key-signing party is to, well, simply sign all keys and mail them to their owners. But this might not the best way. Because if you sign a key, you often sign many uids with different e-mail addresses. If any but one of these don't work you won't notice, because you signed all of them and mailed the result around. Thus your signature certifies that this key belongs to addresses it doesn't really belong to. To avoid this, Peter Palfrader wrote caff. This Perl script converts keys with many uids to many keys with just one uid each, and signs these. It then encrypts each signed key with itself and sends it to the e-mail address in the uid. This helps to assure that you don't sign uids with e-mail addresses which aren't under the control of the signee. Caff removes other signatures from the keys as well, to make the mails smaller and easier to process. The script needs the experimental gnupg-1.3.92 (check gnupg-1.3.92.tar.gz.sig) and the Perl module GnuPG::Interface. Peter Palfrader is the author of caff, I merely added a few features to allow signing with multiple and older keys, and to have caff just save the mails in a folder instead of sending them off at once. NEWS Fixed an error in the handling of extensions (e.g. `idea`). [/projects] permanent link