My PGP key’s id is FF70ADE1, and is available on common keyservers. Alternately, you can import it from the ASCII-armored block from here.
The signed Markdown version My PGP key signing policy is available here. The HTML generated version is available here.
The OpenPGP standard specifies four signature types for denoting certification of a user ID and public key. These levels of certification are intentionally vauge, but I’ll attempt to align myself with what is typical for PGP and GPG users on the internet currently. The four levels are as follows:
The standard says:
Generic certification of a User ID and Public Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the user ID. Note that all PGP “key signatures” are this type of certification.
GPG represents this signature type as ‘I will not answer’. I will not sign a key with generic certification.
The standard says:
Persona certification of a User ID and Public Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the user ID specified.
GPG represents this signature type as ‘I have not checked at all’. Again, I will not sign a key with generic certification.
The standard says:
Casual certification of a User ID and Public Key packet. The issuer of this certification has done some casual verification of the claim of identity.
GPG represents this signature type as ‘I have done casual checking’. With a few exceptions, this is level at which I will sign other people’s keys. I generally won’t go out of my way to meet you in person and check your ID, though this is one way I will certify your identity. Other ways:
The standard says:
Positive certification of a User ID and Public Key packet. The issuer of this certification has done substantial verification of the claim of identity.
GPG represents this signature type as ‘I have done very careful checking’. I reserve this type of signature for people I am personally close to, or have worked closely with.
As mentioned above under 0x12 Casual certification, I will sign keys for people I have not met, using one of the following two methods to check their identity:
I will only accept US passports or California State driver’s licences for IDs. Sorry, I don’t have time to keep up to date on recognizing valid ID from places I don’t live.
Make a color scan of the ID (you can black out sensitive parts in the resulting image, like your address, the passport/license number, etc. I’m interested in your name and your photo) next to a hand-written note containing:
Take a webcam photo of yourself holding up the ID. (Again, black out parts if you prefer.)
Send me an email (to [email protected]) requesting that I sign your key, and include the following:
Using PayPal as a trusted third party is an idea I took from Aaron Toponce, which seems brilliant.