Identity and Encryption Verification
by xnite
Given the recent leak of the spying program known as PRISM, a lot of people in our community have been worried about how safe their communications online actually are. In light of these events, I decided it would be a good time to start talking about different methods of fingerprint and public key verification as well as key signing parties. When we create a PGP public/private key pair, we are given a fingerprint for our key which is unique. A key signing party consists of giving others this fingerprint in person, so that they can look your key up on a key server and sign the key with their own PGP key. By signing your key, they are telling the world that they 100 percent trust that this key belongs to you. The signed key can be placed up on a key server and others can view and verify the signatures. It may not be a bad idea to start asking around 2600 meetings for others to sign your PGP key.
A common method of encrypted communication which I see and use is via OTR (Off-the-Record) on XMPP (Jabber) servers. In this case, when you start an OTR conversation you transfer your public key to the other party and, in turn, you get their public key. The client will usually ask you to verify the key by checking the fingerprint. To check the fingerprint, you would usually want to be on the phone with the other party, or have already obtained a copy in person. In many cases, this is not possible, so my favorite method of giving my OTR fingerprint to others is by creating a text file containing the fingerprint and signing the file with my PGP key. This validates that my key was used to sign the message, and they can check to see who has signed my key and ultimately decide if they will trust my OTR fingerprint.
For people who are not willing to expose their true identity, it's hard for others to actually verify that they are who they say they are. Nonetheless, it does not mean with 100 percent certainty that they cannot be trusted. An example of one of these people might be a political activist or hacktivist. These people usually communicate in plain text somewhere such as Twitter. We tend to assume that we can trust that the posts coming from their Twitter account are actually them speaking, but please proceed with caution. The best method that can be used to verify their identity is by them placing their key on a site such as Pastebin and then sending the link over a source where their identity can be vouched for (such as their Twitter account). After people have their public PGP key, the person could share other information such as OTR fingerprints, throwaway email addresses, other usernames, etc. by placing them inside of signed PGP messages.
It is always good practice to give your PGP keys an expiry of at most six months to keep your keys fresh and secure. After this, your signatures cannot be transferred to the new key but there is still a way to let people know you are the same person. What I do when a key is about to expire is sign my new PGP key with my most recent previous PGP key. This way, people will see that I have signed my key, and are able to check both keys to verify my identity.
This method of verification is probably not a good idea if your previous key has been compromised though. Once a key is compromised, the person who compromised it could do anything with it, including creating a new key and signing it with your old key. In this case, all level of trust is dropped for your old key and you should start over fresh.
I hope at least one person out there takes something away from this, and if anyone has other methods of identity and encryption verification, please email me at xnite@xnite.org (please include "2600 [volume#]:" in the beginning of the subject line).
For those of you out there with XMPP and OTR, here's my username/fingerprint info: http://pastebin.com/NPX4ZM50.