Skip to content

My PGP Key Signing Policy⚓︎


My policy is simple, if I am reasonably convinced that you are who you claim you are, I will sign your key. I will sign keys at both casual and careful checking levels, depending on how you convince me of your identity.

If I have signed a previous key of yours which you have replaced with a new key, I will sign your new key given you can provide a valid transition statement and the new key has been in use for more than three months.

Casual Checking Key Signing Method⚓︎

I understand this might seem lengthy, but it is the only process I will accept for casual verification.

  1. You will come up with a number and a word, we will call them num1 and word1.
  2. I will do the same, we will call them num2 and word2.
  3. We will then talk on the phone, secure IM, or some other method besides email. Once a communication method is chosen, we will tell each other our numbers only, keeping the words secret for the moment.
  4. You will then send me an encrypted email to my listed UID key you wish to have sign your key. This email should contain num2 and word1.

    • This will let me know that this email came from the person I spoke to, the only person who should know the number I choose.
  5. I will reply to your email with an encrypted email including num1, word1, num2, and word2.

    • The only way I can know word1 is if I can decrypt the signed message to my UID. This proves ownership only of the UID key and access to the email account, which is why I consider this casual. When you receive the email with num1 contained within it, this confirms the email came from the person you spoke to, and that the person you spoke to is in possession of the private key you emailed.
  6. You will then send an encrypted email back to me with word2 in it.

    • Since only you should have this word, it confirms you now are in ownership of the private key and email address, and it now completes the verification process.
  7. Once I receive the email, I will sign your key, attach it to an encrypted email, and send it back to you. A reciprocal signature is greatly appreciated!

sequenceDiagram
  autonumber
  Participant youUn as You (Unencrypted Comms)
  Participant meUn as Me (Unencrypted Comms)
  Participant youPGP as You (PGP Email)
  Participant mePGP as Me (PGP Email)

  Note over youUn: Generate num1 and word1
  youUn-->>meUn: You tell me your num1
  Note over meUn: Generate num2 and word2
  meUn-->>youUn: I tell you my num2

  youUn-->>mePGP: Email to my UID containing num1 and word1
  mePGP-->>youPGP: Email to your UID with num1, word1, num2, and word2
  youPGP-->>mePGP: Email to my UID with word2
  mePGP-->>youPGP: Email with your signed key attached
  youPGP-->>mePGP: Email with my signed key attached

Careful Checking Key Signing Method⚓︎

Just email me and set up a time to meet in a public location somewhere here in Colorado Springs, Colorado.

Please ensure that on the day we meet you bring the following, I will do the same:

  1. Two pieces of ID are required.

    a. One must be a government issued ID, non-expired, and with a photo. I.e. (Passport, Driver’s License, Military ID) b. A printed copy of your key ID’s fingerprint for us to exchange.

    Bash
    1
    gpg --fingerprint <your email>
    
  2. Optional, but preferred, a printed copy of your key ID fingerprint for you to confirm, at the time we meet, both your key ID and the piece of paper you are giving me match. Keep this secure!

    Bash
    1
    gpg -K --fingerprint <your email>
    

After we meet and exchange fingerprints I will sign your key, attach it to an encrypted email, and send it back to your listed UID, please do the same for me.