After a cou­ple of key sign­ing par­ties it looks like a have some kind of key sign­ing pol­i­cy:

1. Pri­or to a KSP I send my pri­ma­ry key ID 0x942CFFC4 to the or­ga­niz­ers. This key is avail­able on the key­servers, so that's all that's need­ed.
2. At the KSP I ex­pect the or­ga­niz­ers to pro­vide a hard­copy of the list of fin­ger­prints of the par­tic­i­pants of the KSP. I don't have a print­er, so I don't both­er with hard­copies my­self.
3. At the KSP I check the fin­ger­print list­ed as mine on the hard­copy pro­vid­ed to me against my fin­ger­print on my trust­ed GPG slip.
4. KSP style check­ing of the oth­er fin­ger­prints, check­ing them of on the hard­copy.
5. KSP style check­ing of IDs, check­ing them of on the hard­copy.
6. After the KSP keys with checked fin­ger­print and ID are fed to caff on the sys­tem that stores my pri­ma­ry key.
7. After the KSP the suc­cess­ful­ly checked keys are im­port­ed into my keyring, prefer­ably from a keyring send by the or­ga­niz­ers.

If every par­tic­i­pant of the KSP does this every­body ends up with a bunch of en­crypt­ed keys con­tain­ing signed keys in sev­er­al mail­box­es. The point of caff is that I don't re­al­ly care what hap­pens with the keys I've signed and sent. They could just be im­port­ed in a keyring so it en­ables trust­ed com­mu­ni­ca­tion be­tween me and that par­tic­i­pant, or im­port­ed and re­leased to a key­serv­er. That's up to the key sign­ing pol­i­cy of the par­tic­i­pant to de­cide.

What I do is pipe every at­tach­ment through gpg2 --im­port, then do gpg2 --send-key 942CFFC4. If we then do a gpg2 --re­fresh-keys the sig­na­tures on our own key are synced, and the im­port­ed keys from the oth­er mem­bers are up­dat­ed, maybe in­clud­ing my sig. If my sig shows up through this route every­thing went ok and we can op­tion­al­ly add trust to that key to ex­pand our web of trust.