Skip to content

My PGP Key Signing Policy⚓︎


My policy is simple, if I am reasonably convinced that you are who you claim you are, I will sign your key. I will sign keys at both casual and careful checking levels, depending on how you convince me of your identity.

If I have signed a previous key of yours which you have replaced with a new key, I will sign your new key given you can provide a valid transition statement and the new key has been in use for more than three months.

Casual Checking Key Signing Method⚓︎

I understand this might seem lengthy, but it is the only process I will accept for casual verification.

  1. You will come up with a number and a word, we will call them num1 and word1.
  2. I will do the same, we will call them num2 and word2.
  3. We will then talk on the phone, secure IM, or some other method besides email. Once a communication method is chosen we will tell each other our numbers only, keeping the words secret for the time being.
  4. You will then send me an encrypted email to my listed UID key you wish to have sign your key. This email should contain num2 and word1.

    • This will let me know that this email came from the person I spoke to, the only person who should know the number I choose.
  5. I will reply back to your email with another encrypted including num1, word1, num2, and word2.

    • The only way I can know word1 is if I can decrypt the signed message to my UID. This proves ownership only of the UID key and access to the email account, which is why I consider this casual. When you receive the email with num1 contained within it this confirms the email came from the person you spoke to, and that the person you spoke to is in possession of the private key you emailed.
  6. You will then send an encrypted email back to me with word2 in it.

    • Since only you should have this word it confirms you now are in ownership of the private key and email address and it now completes the verification process.
  7. Once I receive the email I will sign your key, attach it to an encrypted email, and send it back to you. A reciprocal signature is greatly appreciated!

    sequenceDiagram autonumber Participant You Participant Me rect rgb(255, 179, 179) Note over You, Me: Unsecured Communications Note over You: Generate num1 and word1 Note over Me: Generate num2 and word2 You-->>Me: You tell me your num1 Me-->>You: I tell you my num2 end rect rgb(179, 254, 179) Note over You, Me: PGP Encrypted Emails You-->>Me: Email to my UID containing num1 and word1 Me-->>You: Email to your UID with num1, word1, num2, and word2 You-->>Me: Email to my UID with word2 Me-->>You: Email with your signed key attached You-->>Me: Email with my signed key attached end

Careful Checking Key Signing Method⚓︎

Just email me and set up a time to meet in a public location somewhere here in Colorado Springs, Colorado.

Please make sure that on the day we meet you bring the following, I will do the same:

  1. Two pieces of ID are required.

    a. One must be a government issued ID, non-expired, and with a photo. I.e. (Passport, Drivers License, Military ID) b. A printed copy of your key ID’s fingerprint for us to exchange.

    gpg --fingerprint <your email>
    

  2. Optional, but preferred, a printed copy of your key ID fingerprint for you to confirm, at the time we meet, both your key ID and the piece of paper you are giving me match. Keep this secure!

    gpg -K --fingerprint <your email>
    

After we meet and exchange fingerprints I will sign your key, attach it to an encrypted email, and send it back to your listed UID, please do the same for me.