We are running a PGP keysigning party during the GCC Summit. This is an excellent chance to meet up with a group of geographically distributed developers and expand the Web Of Trust.

Before the party, you need to ensure your key is on the public keyservers (we recommend wwwkeys.uk.pgp.net or keyserver.kjsl.com but any keyserver that synchronises with these two should work). Then send the output from gpg --fingerprint to keys @ gccsummit.org. Check the attendee list to make sure you're on it. Do this early as these keys will be printed with the conference programme.

During the party, you will need:

• A writing implement and possibly something to lean on while you write.
• A hardcopy of your fingerprint to be sure the printed one matches.
• Photo ID. A passport is recommended.
• To be there yourself, you can't delegate this.

A standard keysigning party has two phases. In phase 1, everybody ensures the fingerprint on their piece of paper is correct. This prevents the key organiser from substituting a fake key. In phase 2, you check photo IDs to make sure that the person is who they claim to be. After this you should feel reasonably confident in signing the other person's key.

Thanks to the key list being printed in the conference programme, we can follow a slightly different scheme. Start by verifying that the copy of your fingerprint printed in your programme matches the one you brought with you.

Then while you attend the conference, meet up with other people on the list. Check their fingerprint against the one in your programme, the picture on their photo ID matches the person standing in front of you and the name matches the user ID on their key. They will wish to check the same facts about you, so be sure to carry photo ID at all times. We shall congregate after the closing keynote to make sure that everyone has met everyone else.

Since you're making notes in your conference programme, you should take care to not leave it lying around where someone could make a check mark next to a fingerprint you haven't verified. It's also worth signing your name on the keysigning page of the programme to be sure you haven't inadvertently picked up somebody else's programme.

After the party is over, wait until you're back home at a computer you trust. Then download the keys from a keyserver (or here) and check the fingerprints match what are on your piece of paper. Sign the keys and send them back to the keyserver. Then check back here to see who has signed whose key.

For more information on keysignings, the Web of Trust, GnuPG and Public Key Infrastructure, try the following links:

• Keysignings
• The GNU Privacy Handbook
• Public Key Infrastructure
• The OpenPGP Alliance