Image of the glider from the Game of Life by John Conway
Skip to content

Created A PGP Key Signing Policy

I just created a PGP/GPG key signing policy. I've never set one before, so there it is.

The motivation is three-fold: I want raise awareness for encrypted email, I want to expand the Web of Trust and I want to sign keys. I believe we've gotten too anal retentive about the rituals of signing each others keys, and I would like to bring it more to the forefront of the general public. There is no reason why email shouldn't be encrypted 100% of the time, and doing the Song and Dance of creating a conga line, reciting fingerprints, and verifying identifications has probably gone a little overboard.

Thus, on my policy page, you'll notice that I'm willing to sign your key if you just send me $1 USD along with your email address and key. I'll return the $1 after I've signed it. Or, you can send me a colored scan of your U.S. passport or driver license, and I'll sign your key. Crazy? Maybe. I'm fairly confident, however, that the government, or powerful enemies, isn't planning a coordinated attack against my identity.

{ 17 } Comments

  1. foo | March 1, 2011 at 9:57 pm | Permalink

    Welcome to my PGP plonk list.

  2. Aoirthoir An Broc | March 1, 2011 at 10:55 pm | Permalink

    Isn't the point of signing the key, verifying that the person is really who they say they are?

  3. andreas | March 2, 2011 at 3:38 am | Permalink

    How does your policy relates to keys with multiple uids/addresses? Requiring explicit validation for every uid you are to sign?

  4. Aaron | March 2, 2011 at 5:32 am | Permalink

    @Aoirthoir An Broc- Yes. You are verifying that the person says "I am John, here's proof". Each of the methods described in my policy meet that need, to one degree or another. But signing a key is more than that. It is also saying that the person owns the key they claim and that you trust encrypted communication with them.

    @andreas- No. You wouldn't require explicit validation for every UID at a key signing party, so why do it here? If the key has multiple UIDs, and I've verified the user own the key, I'll sign every UID. This is the same practice that is done in an anal retentive manner at a key signing party, and I see no reason why not to do it for the scenarios listed in my policy.

  5. Mark | March 2, 2011 at 7:59 am | Permalink

    I like the idea. The mail "mail me a dollar and I'll return it" will cost almost a dollar to accomplish.

  6. Nitesh Mistry | March 2, 2011 at 12:23 pm | Permalink

    I may be naive and may be thats why this question:
    From what I understand about key-signing, it is about visually verifying that the person who presents the key id with corresponding photo id is the person on the photo id. So I correlate the face of the person with the face on photo id and then the name on photo id with that on the key id. However that very essence of identifying the person seems missing in your 'online key signing' policy.

  7. Mark | March 2, 2011 at 2:28 pm | Permalink

    To solve Nitesh's comment.. it could be done via webcam w/ voice. Visual verification with voice and a web cam shot of the ID coupled with an emailed copy of the ID. This should satisfy the intent. This process would allow inclusion of disabled persons who are not able to "get out".

  8. UndiFineD | March 30, 2011 at 7:41 am | Permalink

    by adding a form of money flow to your email system, you may actually harm privacy in email.

  9. Aaron | March 30, 2011 at 8:19 am | Permalink

    @undiFineD- If you're going to make an accusation, you should probably back it up. How is proving that someone owns their key by using the exchange of money harming email privacy?

  10. UndiFineD | March 30, 2011 at 9:33 am | Permalink

    Thanks @Aaron , although you could probably think of this yourself.

    The privacy key is to ensure the privacy of the content of the email.
    Now the money flow can reveal the owners of both or either of the email addresses.
    Even if you obfuscate the transaction identification of email,
    the Banks track every transaction, this information is shared to their government.
    Suppose it works like:
    I signup to a website to have my gpg key signed, I transfer $1 money to the site,
    This you do via paypal, so you know it is shared with Bank of America
    and every other bank that offers business with paypal, yes even my banks in the Netherlands.
    So you know my email address, and every transaction related bank, and therefor every involved country.
    Now, in crime research, it does not matter what the content was of the email, it matters who you had contact with, it then is up to the good law and you to prove you were not involved in any crime, thus you have to reveal the content of communication. defying the purpose of the privacy key.

    In todays world everything you wish you keep private makes you a suspect, of anything.

    Not only that, they can simply link a nickname and a bankaccount and an email address to a person, with that information they know where you live, who you do business with, where you work and whatever they wish to know of you ? mobile phone ? they have it.

    So now a solution:
    you have a public site, people signup over a strong encrypted page . They grab , they sign it with and transfer to a private part of your site .

    So who do you know and trust ? That brings me to proper authentication.
    Something you know
    Something you are
    Something you own
    Something you do
    Someone who knows you (both)

    There are difficulties with all methods above, I remember some government military document on multilevel authentication. A any of the above alone is never good enough; some methods are not very suitable for the web, but a combination can be made.
    For example , , .

  11. UndiFineD | March 30, 2011 at 9:37 am | Permalink

    lol that took out the details in brackets

    Something you know [{ password }]
    Something you are [{ fingerprint }] [{ ear }] [{ eye }]
    Something you own [{ Identification card }] [{ public signature }]
    Something you do [{ speech }] [{ signature }]
    Someone who knows you (both) [{ trust relation }]

    For example [{ password }] , [{ public signature }] , [{ trust relation }] .

  12. Aaron | March 30, 2011 at 2:19 pm | Permalink

    @UndiFineD- I'm not exactly sure I'm following your logic. Let's run through a standard keysigning scenario, extend it to using a bank to transfer money, and see where we end up.

    In the standard scenario, two people meet and exchange identities. If they already know each other, this is given for free. If they don't know each other, they can check identification cards. Either way, identity needs to be established that the person they are meeting with is indeed who they claim to be. After identities are established, then key fingerprints are exchanged. The only point of this is to verify that the other person has the correct key in their possession that they are about to sign. It's important to understand that they only have the public key of the other person, and not the private key. Once identity has been established, and it has been verified that each other has the correct key for the other person, they then sign the key with their own private key.

    Now, how do we extend this to using a bank as a third party?

    Two people exchange email, signed with their own personal key, that they wish to have signed by the other. They state in the email what the KeyID is, so the recipient can find the appropriate key off a keyserver. Then, the one wishing to have his key signed transfers $1 through a bank to the other. Because of the terms of service from the bank's website, the person sending the $1 is stating legally that he is who he says. Once the $1 arrives, the key is signed, and the $1 is sent back.

    Do you see how both identity and verifying the right key was signed is applied? There was no exchange of private keys and there is no information in the key that a bank was used to establish identity. Sure, one could say that the Web of Trust is slightly weakened here, because someone fraudulent could create a key using a fake identity, establish a relationship with the bank under that false identity, send $1, and get the key signed. However, there are legal repercussions in most countries for such scenarios, like the United States, should such a relationship be built, and that is hardly the fault of the one signing the key.

    Consider for a moment, someone who creates a false identification card, government issued even, under a false identity, creates a key and attends a massive keysigning party. This situation is no different than that of the bank. Knowing 100% that they are who they say they are is virtually impossible, even for close friends you might have. So, you have to make a leap of faith that the identity holds, whether you use a trusted 3rd party, such as a bank, or establish the identity in person.

    So, I hope this helps. There is no damage to the Web of Trust, using a bank as a 3rd party to establish identity. No more so than using government-issued identification cards at a keysigning party.

  13. Aaron | March 30, 2011 at 2:25 pm | Permalink

    I should probably further explain that just because you used a bank to establish identity does not mean that the bank has any access to any encrypted information you send back and forth with your keys. Provided that your public key was built using industry standard public key algorithms, such as DSA or RSA, you shouldn't have anything to worry about.

    Also, the bank never sees a public key in this transaction. All they see is $1 going from point A to point B, then from point B back to point A. The keysigning was done locally on the person's computer, where the public key was likely grabbed from a public keyserver. The bank is 100% oblivious to all of this, unless of course the person signing the key actually works at the bank, and uses the bank's network resources to grab the key. Even then, there is nothing to worry about, as the public key was copied, which should be resistant to all practical cryptanalysis attacks.

  14. UndiFineD | March 30, 2011 at 3:07 pm | Permalink

    the moment a bank becomes involved in the process, as a 3rd party they know some things of that transaction. and since the amount is $1 floating back and forth, the back will investigate why this happens.
    also in international transactions the banks want to make money. if you transfer $1 dollar from one person to another, paypal is keeping 50 dollarcent on that transaction. send it back and forth means the dollar is lost. Next to that, there is the conversion "tax" where easily 10 cents per dollar is lost in conversion.

    I really would like to see a good solution without money involved, it keeps things more private and it costs less.

  15. Aaron | March 30, 2011 at 7:55 pm | Permalink

    I guess I'm not following. So what if the bank investigates why $1 went from person A to person B and then back again? So they find out you signed a public key. And? Unless they have some magic hardware that the rest of the world doesn't have to build the private key from your public key, I don't see where the big issue is.

    You made the accusation that by using a bank as a 3rd party to establish identity that "by adding a form of money flow to your email system, you may actually harm privacy in email". I've clearly showed that this is as far from the truth as can be.

    First, OpenPGP isn't tied to email or vice versa. OpenPGP can be applied to email, but it can be applied to a number of other situations too. Second, the bank has no knowledge of private/public keys in the transaction, unless you reveal such. And EVEN THEN, so what? Unless they get to your private key AND your passphrase, they can't do anything to compromise privacy in email. Nada. Zip. Nothing.

    Now, it seems you've changed your tone. Now, you're stating that the bank is losing money, because of the dollar going back and forth. I'm going to ask you to cite your claims that PayPal keeps $.50 for every transaction, as well as citing that the conversion tax between international currencies (I'm assuming this is what you mean), is $.10 for every dollar.

    You're making a lot of broad claims, without really backing anything up, and it's not making you look good as a result. I would suggest that you do a bit more research into OpenPGP and various implementations, along with the security practices of each, and their repercussions.

  16. UndiFineD | March 30, 2011 at 10:03 pm | Permalink

    Banks are required to report odd behaviour, they do not investigate, but merely report odd transactions. with todays new laws implemented around the world to prevent "terrorism"
    everyone suddenly is a suspect when they do things oddly.
    Banks will happily commit the transaction, as it makes them money.

    Upon investigation regarding odd transactions they will find out, with or without asking you, that these transactions are related to your email traffic. once a new trusted friend has been signed by you, you send back the dollar and and send them an email to say hello.
    the timeframes of these transactions allows them to be linked.

    yes there is pgp / rsa / ssh encryption and decryption hardware ... for example
    these hardwares you will find with price figures with more than 3 zeros for them to have any quality/quantity.

    Maybe my calculations on paypal are not correct, but every transaction does make money for a bank.
    "You can also withdraw money from your PayPal balance by requesting a check. (There’s a fee of $1.50 USD for check withdrawals.)" is how paypal does things differently from other banks as collectively we give them money until we withdraw.
    From my igoogle currency conversion: 1 USD = 0,7075 EUR
    but if I make a transaction from my bank to paypal I pay at least 72 eurocents to make a dollar.

    My broad claims as you call them are not without backing, they are common practice in your and my country. international transaction of money costs money, police / governments do wiretapping, they call it data retention and besides storage there is a large cluster of systems crunching suspect data.

    I know PGP / GPG can be used for more than email, but that was not the point. the moment a money transfer is brought into the loop, more can be known about you and other people. the content of the email or any communication does not really matter, they can link you together.

    an animal world example:
    Penguins live in Antarctica and South Africa some of them are friends, on one of them penguins in South Africa is friends with a sea beaver, all sea beavers are terrorists, but hey you are emailing with that penguin who knows the sea beaver, perhaps you are a sea beaver spy and are relaying classified information. so they freeze your paypal bank account.
    Still you trust the penguin from South Africa but not his friend the sea beaver. until the sea beaver signed off by your friendly South African penguin who both signed your public signature as a signature of recommendation.

  17. Aaron | March 30, 2011 at 11:12 pm | Permalink

    I guess I just don't understand your logical thought. Transferring money, especially $1, from one account to the other isn't odd behavior. Not by a long shot. And again, who cares if they figure out what it's for?

    Yes, there is encryption/decryption hardware, but nothing that will produce the private key from a public key, if the keys were built using industry-accepted cryptography.

    The fact of the matter is, privacy, security and the web of trust are not weakened by using a bank to establish identity any more than it is weakened using a computer conference to host a keysigning party. End of story.

Post a Comment

Your email is never published nor shared.