PGP

Tue, Mar 5, 2013

If you want to be extra safe, check that there's a big block of jumbled
characters at the bottom.

My PGP key’s id is FF70ADE1, and is available on common keyservers. Alternately, you can import it from the ASCII-armored block from here.

The signed Markdown version My PGP key signing policy is available here. The HTML generated version is available here.

PGP Key Signature Policy

The OpenPGP standard specifies four signature types for denoting certification of a user ID and public key. These levels of certification are intentionally vauge, but I’ll attempt to align myself with what is typical for PGP and GPG users on the internet currently. The four levels are as follows:


0x10 Generic certification

The standard says:

Generic certification of a User ID and Public Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the user ID. Note that all PGP “key signatures” are this type of certification.

GPG represents this signature type as ‘I will not answer’. I will not sign a key with generic certification.


0x11 Persona certification
The standard says:

Persona certification of a User ID and Public Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the user ID specified.

GPG represents this signature type as ‘I have not checked at all’. Again, I will not sign a key with generic certification.


0x12 Casual certification
The standard says:

Casual certification of a User ID and Public Key packet. The issuer of this certification has done some casual verification of the claim of identity.

GPG represents this signature type as ‘I have done casual checking’. With a few exceptions, this is level at which I will sign other people’s keys. I generally won’t go out of my way to meet you in person and check your ID, though this is one way I will certify your identity. Other ways:

0x13 Positive certification

The standard says:

Positive certification of a User ID and Public Key packet. The issuer of this certification has done substantial verification of the claim of identity.

GPG represents this signature type as ‘I have done very careful checking’. I reserve this type of signature for people I am personally close to, or have worked closely with.


Sending me a scanned copy of your ID

I will only accept US passports or Washington State driver’s licences for IDs. Sorry, I don’t have time to keep up to date on recognizing valid ID from places I don’t live.

Sending me $1 via PayPal

Using PayPal as a trusted third party is an idea I took from Aaron Toponce, which seems brilliant. PayPal’s been getting a lot of bad press lately, however, and I encorage people to move to other providers like Dwolla instead. For now, though, PayPal is ubiquitous and easy enough that it should work best.