pgp key signing policy


0x7CF6EFDED84C744C
fingerprint: 16C7 33E3 C5BB 8E3B 3795 9B05 7CF6 EFDE D84C 744C

Verification Levels

0x10: Generic certification

I will not sign at this level. Doing so is meaningless and merely clutters and weakens the web of trust.

0x11: Persona certification

In general I will not sign at this level. I need to be confident that you are who you are. If I have prior knowledge establishing your identity and you can prove control of the key pair by decrypting a message, I may consider it. If I don’t feel good about it, it isn’t happening. I will only sign individually controlled keys–not shared keys. In short, if you need a key under a pseudonym because your safety would be in jeoperdy, then I’ll consider it. If you want a key for your sales department to share, that’s not happening. If you feel you have an acceptable use case and can demonstrate a way to convince me that only you (the actual person) control this persona, send me an email. I’ll probably say no and will only agree in the most extraordinary cases.

0x12: Casual certification

Send me a $1 USD personal gift from your verified PayPal account.

  • You must use a gift if you want your $1 back. I will not refund it if you use a “purchase payment.”
  • Your Paypal account must be verified.
  • Your Paypal account address must match the uid in the key you wish signed.
  • In the subject field of the gift, let me know you wish me to sign a key.
  • In the message field of the gift, provide your email address, key ID, and paypal transaction number.
  • Send me a signed and encrypted email letting me know you’ve done so. Make sure that your email is signed by the key you want signed.
  • After I receive the dollar, your email, and have verified the PayPal account, I will sign your key and send it back to you.

0x13: Positive certification (Preferred)

Method 1: Meet in person, exchange government-issued photo identification and key fingerprints.

Method 2: Live video conference using Tox (qtox recommended) and sharing government-issued photo identification and key fingerprints. My Tox ID is 49BE7019AFA121B4CABB10AA962FB3ED01B4FFFA46EAD23319D3A76BCFFD0B5AAB9D120EE17A. I typically don’t have it running, so if you are interested in using this method, you should email me to arrange a time. Tox is an end-to-end encrypted and decentralized communications tool. It is nearly as good as meeting in person. There is no man in the middle. I will not use any centralized chat protocol like Skype, Google Hangouts, Facetime, etc.

General

Proving control of the UID

After verification, I will sign each UID in your public key seperately then encrypt and email the signed UID to the email address in that UID. This seems the best and simplest way to prove control of all UIDs in the key. I’ll sign non-email UIDs on a case-by-case basis. Because of my workflow, you will get a minimized key back with the addition of my certification. I leave it to you to merge my signature with your public key and publish it how you see fit.

Expiration

As a security measure I set expiration dates on my keys. Every year I review my keys and extend the expiration by another year. This serves as a digital deadman switch. Its also as a handy reminder to review the cipher preferences and key strength. I may rotate subkeys at this point. Because of this expiration date, when you sign my key your client may ask you if you want to set an expiration on your signature, defaulting to yes. I ask you not to add an expiration unless it is your normal practice. Your/my certification of a key translates to “At this date and time, I affirm that this person controls this key.” That may not be the case in 5 minutes. Expiration dates on signatures only lead to atrophy of the web of trust and add little to no additional assurance. People will already take a 15 year old signature with a grain of salt. Furthermore, my key has the rolling expiration dates to protect from just the kind of situation a signature expiration aims to protect. I’ve already got you covered. I’ve got a revokation certificate pre-generated too for added measure. Adding a signature expiration just means I’ve got to bug you every year to resign. Please don’t add an expiration and I won’t add one to yours.

Keybase

Keybase.io is a promosing compliment to the web of trust. Please consider tracking me there. I will attempt to locate you on keybase, verify your proofs, and track you when I sign your key. If I’ve already signed and you’d like me to track you, please send me an email with a link to your profile.

Special thanks to Arron Toponce for inspiring much of the content of this policy.