David's Public Pages

There's no place like ::1

User Tools

Site Tools


My PGP Key Signing Policy

My policy is simple, if I am reasonably convinced that you are who you claim you are, I will sign your key. I will sign keys at both casual and careful checking levels, depending on how you convince me of your identity.

If I have signed a previous key of yours which you have replaced with a new key, I will sign your new key given you can provide a valid transition statement and the new key has been in use for more than three months.

Casual Checking Key Signing Method

I understand this might seem lengthy, but it is the only process I will accept for casual verifications.

  1. You will come up with a number and a word, we will call them num1 and word1.
  2. I will do the same, we will call them num2 and word2.
  3. We will then talk on the phone, secure IM, or some other method besides email. Once a communication method is chosen we will tell each other our numbers only, keeping the words secret for the time being.
  4. You will then send me an encrypted email to my listed UID key you wish to have sign your key. This email should contain num2 and word1.
    • This will let me know that this email came from the person I spoke to, the only person who should know the number I choose.
  5. I will reply back to your email with another encrypted including num1, word1, num2, and word2.
    • The only way I can know word1 is if I can decrypt the signed message to my UID. This proves ownership only of the UID key and access to the email account, which is why I consider this casual. When you receive the email with num1 contained within it this confirms the email came from the person you spoke to, and that the person you spoke to is in possession of the private key you emailed.
  6. You will then send an encrypted email back to me with word2 in it.
    • Since only you should have this word it confirms you now are in ownership of the private key and email address and it now completes the verification process.
  7. Once I receive the email I will sign your key, attach it to an encrypted email, and send it back to you. A reciprocal signature is greatly appreciated!

Careful Checking Key Signing Method

Just email me and set up a time to meet in a public location somewhere here in Colorado Springs, Colorado.

Please make sure that on the day we meet you bring the following, I will do the same:

  1. Two pieces of ID are required.
    1. One must be a government issued ID, non-expired, and with a photo. I.e. (Passport, Drivers License, Military ID)
    2. A printed copy of your key ID’s fingerprint for us to exchange
      gpg --fingerprint <your email>
  2. Optional, but preferred, a printed copy of your key ID fingerprint for you to confirm, at the time we meet, both your key ID and the piece of paper you are giving me match. Keep this secure!
    gpg -K --fingerprint <your email>

After we meet and exchange fingerprints I will sign your key, attach it to an encrypted email, and send it back to your listed UID, please do the same for me.

technology/pgp-key-sign-policy.txt · Last modified: 03/04/2020 by David Remy