PGP

If you want to be extra safe, check that there’s a big block ofjumbled characters at the bottom.

My PGP key’s id is FF70ADE1, and is available on common keyservers. Alternately, you can import it from the ASCII-armored block from here.

The signed Markdown version My PGP key signing policy is available here. The HTML generated version is available here.

PGP Key Signature Policy

The OpenPGP standard specifies four signature types for denoting certification of a user ID and public key. These levels of certification are intentionally vauge, but I’ll attempt to align myself with what is typical for PGP and GPG users on the internet currently. The four levels are as follows:

0x10 Generic certification

The standard says:

Generic certification of a User ID and Public Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the user ID. Note that all PGP “key signatures” are this type of certification.

GPG represents this signature type as ‘I will not answer’. I will not sign a key with generic certification.

0x11 Persona certification

The standard says:

Persona certification of a User ID and Public Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the user ID specified.

GPG represents this signature type as ‘I have not checked at all’. Again, I will not sign a key with generic certification.

0x12 Casual certification

The standard says:

Casual certification of a User ID and Public Key packet. The issuer of this certification has done some casual verification of the claim of identity.

GPG represents this signature type as ‘I have done casual checking’. With a few exceptions, this is level at which I will sign other people’s keys. I generally won’t go out of my way to meet you in person and check your ID, though this is one way I will certify your identity. Other ways:

  • By sending me a scanned copy of your ID (see below)
  • By sending me $1 via PayPal (see below)

0x13 Positive certification

The standard says:

Positive certification of a User ID and Public Key packet. The issuer of this certification has done substantial verification of the claim of identity.

GPG represents this signature type as ‘I have done very careful checking’. I reserve this type of signature for people I am personally close to, or have worked closely with.

Open offer for key signing

As mentioned above under 0x12 Casual certification, I will sign keys for people I have not met, using one of the following two methods to check their identity:

Sending me a scanned copy of your ID

I will only accept US passports or California State driver’s licences for IDs. Sorry, I don’t have time to keep up to date on recognizing valid ID from places I don’t live.

  • Make a color scan of the ID (you can black out sensitive parts in the resulting image, like your address, the passport/license number, etc. I’m interested in your name and your photo) next to a hand-written note containing:

    1. Your email address
    2. Your key ID
  • Take a webcam photo of yourself holding up the ID. (Again, black out parts if you prefer.)

  • Send me an email (to [email protected]) requesting that I sign your key, and include the following:

    1. Attach the two ID images
    2. PGP sign the message with the key you want me to sign

Sending me $1 via PayPal

Using PayPal as a trusted third party is an idea I took from Aaron Toponce, which seems brilliant.

  • Send a $1 USD personal payment as a “Gift” to [email protected] using PayPal. Seriously, make sure you mark it as a gift, PayPal can get very cranky if you choose the wrong payment type.
  • In the paypal message, list that it’s a key signing request in the subject. In the body, list your email address and key ID.
  • Email me separately (to [email protected]) asking me to go check my PayPal account for your key signing request. Sign and encrypt this message to me, using the key you want me to sign.
  • Once I sign your key, I will send you back your $1 gift payment.
©2011-2020 Justin C. Miller.   What a horrible night to have a curse.