Page created: 2013-09-15 07:00:00
Last updated: 2015-08-31 18:04:13
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
-----BEGIN PGP SIGNED WEB-PAGE-----
My Personal PGP Notes and Policy
This is compilation of policies, mainly for personal consumption and reference, but published in case someone finds it useful.
It’s greatly inspired in the work of David Kaiser and his PGP keysigning policy. This document follows it’s essence, and draws from it’s structure and contents.
I reserve the right to make amendments and uptades to this document at
any point in time and without notice. In the event that my policy
changes, previous signatures will remain good and valid and won’t be
revoked, in other words, this is not a retroactive document.
This page, located at: http://slashfoo.com/pgp_policy.html is pgp signed. To verify my signature on this page, run the following command (gnupg version): gpg2 --recv-keys C7E98BCAA435DBF11948F3D4763C2178A92C8FB4; curl http://slashfoo.com/pgp_policy.html | gpg2 --verify -
Table of contents
- My Personal PGP Notes and Policy
2014-02-26 Initial public version 2014-03-03 s/GPG/PGP/ on title 2014-04-08 Updated some broken links to keyservers (missing ports on links) Removed the link to wwwkeys.gpg.net 2015-02-20 Fixed dkaiser's policy url Added commands to verify signature with curl and gpg2 2015-02-21 Changed the command to not only get the key with the 8char terminal and use full fingerprint Added SCaLE 13x PGP Key Signing Party URL 2015-08-31 Changed the url of my included photograph to work on both http and https
My Key and photo
Until this key is revoked and publicly stated here, the following is my public key and fingerprint and photo UID for personal use.
sec 4096R/A92C8FB4 2013-02-06 Key fingerprint = C7E9 8BCA A435 DBF1 1948 F3D4 763C 2178 A92C 8FB4 uid Jamiel Almeida <firstname.lastname@example.org> uid Jamiel Almeida (slashfoo) <email@example.com> uid [jpeg image of size 4021]
The image is this:
Signature with my key is available here: A92C8FB4.jpg.asc
Key signing conditions
I only sign keys when I have personally met the owner of said key during a meeting or party where the key-signing had been explicitly arranged beforehand. Thus, arranging a meeting or attending a keysigning party where I’m present, is a requirement for the signee to get their key signed by me.
When meeting one on one, you will want to bring the following:
- A piece of paper with the output of
gpg -K --fingerprint
- At least one government issued ID, valid, with a photograph
- Any additional ID’s, cards or documents to further verify your identity
- Enough time to attend the meeting without any rush (approx 10-15 minutes)
In the case of a key-signing party, given the nature of the event is to cross-verify multiple IDs at least one valid, current, government issued photo ID is strictly necessary.
Expect me to ask you questions on the nature and contents of the documents, specially if they are non-conventional, foreign, or otherwise forms of documentation that are new to me, or that bear features unknown to me.
I reserve the right to not accept a forms of identification that aren’t trusted by me, are issued by organizations that I don’t trust, bear features that are unknown to me or are damaged or deteriorated affecting the features of such document.
I only sign keys of human persons, and not companies. The names in both the key and IDs provided must match. At the very minimum first name and first last name must match, and other names or initials in the documents must not conflict with the key. I don’t normally make exceptions to this policy and you shouln’t expect to be in one.
I may choose to not sign a key in the basis of it’s size or algorithm which would render them too weak. I consider an acceptable key size to be 1024 bits, and examples of acceptable algorithms are: DSA, RSA, ElGamal.
I may also choose to not sign particular UIDs in a key, even the ones that are e-mail addresses if they look suspicious to me (this is a “game” of trust after all).
If the process of ID validation is interrupted or not able to be carried out in the environment (e.g. noisy environment). I will not sign the key, and will inform the other person.
GnuPG supports four different signing levels. Below, all of the different levels are listed, and the reason why I chose to sign a key at a certain signing level.
- sig (0x10) : Used to sign photo, name, and other non-email uids.
- sig 1 (0x11) : Not currently used.
- sig 2 (0x12) : ‘I have done casual checking’, so used for signing keys checked during keysigning parties, or in other massive and non-relaxed, non-quiet signing meet-ups. While a positive picture ID is required, careful checking was not possible.
- sig 3 (0x13) : ‘I have done careful checking’, for one-on-one keysigning, where multiple positive ID’s are exchanged. This level is also reserved for people at a keysigning party or one-on-one keysigning with which I’ve been able to share over the course of months, have met on previous key-signing parties, or know them at a personal level.
Signing of photo, name, and otherwise non-email uid’s
UIDs that are non-email present on a key, aren’t signed automatically by me, and there are some considerations made when I do.
If someone specifically requests a name or alias to be signed, that person must show an identification with said name or alias to be signed along with the other documents for verification. This is the case for me signing HAM callsigns, job titles, and things of this sort, even if contained in parenthesis after the name.
For photo identification, I’ll only sign and send the signed uid to an already signed email address. This will only happen if the person brings at least two government issued photo identification documents, and the picture that they want signed, people I know in person and have shared with for at least a couple of months waived from bringing the photo to be signed.
I typically expect that when I take the time to verify a the identity of a person and sign a key, that my signing key(s) and identity will be signed upon verification as well, granted I meet that person’s verification protocol is met.
I consider polite that the person explain why my key wasn’t signed in that case.
I reserve the right to not sign a key at my own discretion.
I’ll verify the documents and identity in person. I’ll sign the key(s) when I’m home, or a place otherwise equivalent to it. Please don’t expect me to sign the document immediately if busy, or travelling, or in a hotel room.
When I sign an email-uid, I’ll detach my signature of that UID and send it attached to an encrypted message to that email. The recipient is expected to then, decrypt the message, import the signature and upload it to whatever key server they prefer. This is done to ensure that the requester is in control of the email address in the UID.
- pgp Key Signing Observations: Overlooked Social and Technical Considerations at LinuxSecurity.com
- Phil’s PGP Docs
- Phil’s doc on PGP Key Signing
- Alex Cabal on Creating the perfect GPG keypair
- Daniel Kahn Gillmor on HOWTO prep for migration off of SHA-1 in OpenPGP on his user blog at “Debian Administration”
- Two key-signing software to aid with partier are Caff and PIUS
- How To Transition To A Longer Key
- Creating a new GPG key on Ana’s blog
Public Key-signing parties I’ve attended
- February 23, 2013 - SCale 11x PGP Key Signing Party
- February 22, 2014 - SCale 12x PGP Key Signing Party
- February 21, 2015 - SCale 13x PGP Key Signing Party
Copyright and licensing information
Copyright © Jamiel Almeida <firstname.lastname@example.org> 2015
As stated above, this document is greatly inspired in the work of David Kaiser and his PGP keysigning policy. This document follows it’s essence, and draws from it’s structure and contents.
Structure and contents may be used under the conditions of the Creative Commons Attribution-Noncommercial-Share Alike 3.0 license.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.28 iQIcBAEBCgAGBQJV5PmyAAoJEHY8IXipLI+0BxcP+gMI31TDI2vI847hgCYXyS69 /Av0OMVK4oumXeCQx5Us5Cd41rMaxpYc2jZwpWHxy4tL93GSDjidld4f1PxXe9ta gDwUeyNUcm7JIZ/t541iLd5tQMIYcpUPVz9cd93/gnMOMgml+8MaPfAsnRS6Ktgd 12YhYcmq6DOkdY5jZ1V8o4lqMzy0r4g8pMUJm4HhRyLVqdeBEwUdfvCg7gFeOvpB T3OSye5ho8IUcZFsQLYPYi/ZcHYW0lRyPTPG/m/fczfg+sBiXv5+tOfjFQgd/IH6 r9Kd1ttD5MdbBw5oLdsILUbeYE+Lya6DIWlmFAcYCyCB36Kx6ay6POkOOaxC1FFN +ZnF0eO4Ev7uqFgnmsFnN0+uOxufVeycLV2Vqepyhz55geZFZZnVNJ2vw0nD+AnS R8WFmH6BNPbpPLEb5pq1whtHdxsM+oryheDYf1VBbx8AcJ4G/ZeoMGVzXBz19UrD rjfEo6R6+YiENi4y01oyjhRXFPbD2sKm1C9lO/rpDU3RsMtbMDLyGCwk6bvJliRU YkdCFZArAYCqpwrHoNoVpMuelS3YrI/AwwL5hwekHq/3549z21fhUyWklJQpmha1 xxeUS6J05wrhfZiMIuVeRh9/lcnMxm/qfctThSR3hH0jyyXVAUGztrlMS8JxGWfU z/AzZJfSfZXS67DibDGL =P5sH -----END PGP SIGNATURE-----