glider emblem PGP policy and notes


Page created: 2013-09-15 07:00:00
Last updated: 2015-08-31 18:04:13


-----BEGIN PGP SIGNED WEB-PAGE-----

My Personal PGP Notes and Policy

This is compilation of policies, mainly for personal consumption and reference, but published in case someone finds it useful.

It’s greatly inspired in the work of David Kaiser and his PGP keysigning policy. This document follows it’s essence, and draws from it’s structure and contents.

I reserve the right to make amendments and uptades to this document at any point in time and without notice. In the event that my policy changes, previous signatures will remain good and valid and won’t be revoked, in other words, this is not a retroactive document.

This page, located at: http://slashfoo.com/pgp_policy.html is pgp signed.
To verify my signature on this page, run the following command (gnupg version):
gpg2 --recv-keys C7E98BCAA435DBF11948F3D4763C2178A92C8FB4; curl http://slashfoo.com/pgp_policy.html | gpg2 --verify -


Table of contents

Changelog

2014-02-26 Initial public version
2014-03-03 s/GPG/PGP/ on title
2014-04-08 Updated some broken links to keyservers (missing ports on links)
           Removed the link to wwwkeys.gpg.net
2015-02-20 Fixed dkaiser's policy url
           Added commands to verify signature with curl and gpg2
2015-02-21 Changed the command to not only get the key with the 8char terminal and use full fingerprint
           Added SCaLE 13x PGP Key Signing Party URL
2015-08-31 Changed the url of my included photograph to work on both http and https

My Key and photo

Until this key is revoked and publicly stated here, the following is my public key and fingerprint and photo UID for personal use.

sec   4096R/A92C8FB4 2013-02-06
      Key fingerprint = C7E9 8BCA A435 DBF1 1948  F3D4 763C 2178 A92C 8FB4
uid                  Jamiel Almeida <jamiel.almeida@gmail.com>
uid                  Jamiel Almeida (slashfoo) <slashfoo@gmail.com>
uid                  [jpeg image of size 4021]

The image is this:

A92C8FB4 JPEG UID

Signature with my key is available here: A92C8FB4.jpg.asc

Key signing conditions

I only sign keys when I have personally met the owner of said key during a meeting or party where the key-signing had been explicitly arranged beforehand. Thus, arranging a meeting or attending a keysigning party where I’m present, is a requirement for the signee to get their key signed by me.

When meeting one on one, you will want to bring the following:

  • A piece of paper with the output of gpg -K --fingerprint
  • At least one government issued ID, valid, with a photograph
  • Any additional ID’s, cards or documents to further verify your identity
  • Enough time to attend the meeting without any rush (approx 10-15 minutes)

In the case of a key-signing party, given the nature of the event is to cross-verify multiple IDs at least one valid, current, government issued photo ID is strictly necessary.

Expect me to ask you questions on the nature and contents of the documents, specially if they are non-conventional, foreign, or otherwise forms of documentation that are new to me, or that bear features unknown to me.

Considerations

I reserve the right to not accept a forms of identification that aren’t trusted by me, are issued by organizations that I don’t trust, bear features that are unknown to me or are damaged or deteriorated affecting the features of such document.

I only sign keys of human persons, and not companies. The names in both the key and IDs provided must match. At the very minimum first name and first last name must match, and other names or initials in the documents must not conflict with the key. I don’t normally make exceptions to this policy and you shouln’t expect to be in one.

I may choose to not sign a key in the basis of it’s size or algorithm which would render them too weak. I consider an acceptable key size to be 1024 bits, and examples of acceptable algorithms are: DSA, RSA, ElGamal.

I may also choose to not sign particular UIDs in a key, even the ones that are e-mail addresses if they look suspicious to me (this is a “game” of trust after all).

If the process of ID validation is interrupted or not able to be carried out in the environment (e.g. noisy environment). I will not sign the key, and will inform the other person.

Signing levels

GnuPG supports four different signing levels. Below, all of the different levels are listed, and the reason why I chose to sign a key at a certain signing level.

  • sig (0x10) : Used to sign photo, name, and other non-email uids.
  • sig 1 (0x11) : Not currently used.
  • sig 2 (0x12) : ‘I have done casual checking’, so used for signing keys checked during keysigning parties, or in other massive and non-relaxed, non-quiet signing meet-ups. While a positive picture ID is required, careful checking was not possible.
  • sig 3 (0x13) : ‘I have done careful checking’, for one-on-one keysigning, where multiple positive ID’s are exchanged. This level is also reserved for people at a keysigning party or one-on-one keysigning with which I’ve been able to share over the course of months, have met on previous key-signing parties, or know them at a personal level.

Signing of photo, name, and otherwise non-email uid’s

UIDs that are non-email present on a key, aren’t signed automatically by me, and there are some considerations made when I do.

If someone specifically requests a name or alias to be signed, that person must show an identification with said name or alias to be signed along with the other documents for verification. This is the case for me signing HAM callsigns, job titles, and things of this sort, even if contained in parenthesis after the name.

For photo identification, I’ll only sign and send the signed uid to an already signed email address. This will only happen if the person brings at least two government issued photo identification documents, and the picture that they want signed, people I know in person and have shared with for at least a couple of months waived from bringing the photo to be signed.

Reciprocation

I typically expect that when I take the time to verify a the identity of a person and sign a key, that my signing key(s) and identity will be signed upon verification as well, granted I meet that person’s verification protocol is met.

I consider polite that the person explain why my key wasn’t signed in that case.

I reserve the right to not sign a key at my own discretion.

Signing procedure

I’ll verify the documents and identity in person. I’ll sign the key(s) when I’m home, or a place otherwise equivalent to it. Please don’t expect me to sign the document immediately if busy, or travelling, or in a hotel room.

When I sign an email-uid, I’ll detach my signature of that UID and send it attached to an encrypted message to that email. The recipient is expected to then, decrypt the message, import the signature and upload it to whatever key server they prefer. This is done to ensure that the requester is in control of the email address in the UID.

Reference Websites

Public Key-signing parties I’ve attended

Copyright © Jamiel Almeida <slashfoo@gmail.com> 2015

As stated above, this document is greatly inspired in the work of David Kaiser and his PGP keysigning policy. This document follows it’s essence, and draws from it’s structure and contents.

Structure and contents may be used under the conditions of the Creative Commons Attribution-Noncommercial-Share Alike 3.0 license.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.28

iQIcBAEBCgAGBQJV5PmyAAoJEHY8IXipLI+0BxcP+gMI31TDI2vI847hgCYXyS69
/Av0OMVK4oumXeCQx5Us5Cd41rMaxpYc2jZwpWHxy4tL93GSDjidld4f1PxXe9ta
gDwUeyNUcm7JIZ/t541iLd5tQMIYcpUPVz9cd93/gnMOMgml+8MaPfAsnRS6Ktgd
12YhYcmq6DOkdY5jZ1V8o4lqMzy0r4g8pMUJm4HhRyLVqdeBEwUdfvCg7gFeOvpB
T3OSye5ho8IUcZFsQLYPYi/ZcHYW0lRyPTPG/m/fczfg+sBiXv5+tOfjFQgd/IH6
r9Kd1ttD5MdbBw5oLdsILUbeYE+Lya6DIWlmFAcYCyCB36Kx6ay6POkOOaxC1FFN
+ZnF0eO4Ev7uqFgnmsFnN0+uOxufVeycLV2Vqepyhz55geZFZZnVNJ2vw0nD+AnS
R8WFmH6BNPbpPLEb5pq1whtHdxsM+oryheDYf1VBbx8AcJ4G/ZeoMGVzXBz19UrD
rjfEo6R6+YiENi4y01oyjhRXFPbD2sKm1C9lO/rpDU3RsMtbMDLyGCwk6bvJliRU
YkdCFZArAYCqpwrHoNoVpMuelS3YrI/AwwL5hwekHq/3549z21fhUyWklJQpmha1
xxeUS6J05wrhfZiMIuVeRh9/lcnMxm/qfctThSR3hH0jyyXVAUGztrlMS8JxGWfU
z/AzZJfSfZXS67DibDGL
=P5sH
-----END PGP SIGNATURE-----