When signing PGP/GPG keys, you are stating that you've inserted a level of trust with the owner of the key. This trust is necessary for the OpenPGP ecosystem, as OpenPGP is a distributed system that does not rely on a central authority, such as Verisign. Thus, the more signatures that exist in a single key, the more that key can be trusted. The more keys that contain signatures and sign each others keys, the larger the Web of Trust.
It's important to understand that signing each others PGP/GPG keys means you trust them. However, it's possible that we've gotten a little over zealous in the process. Really, is it necessary to check identification, even if you already know the individual? Of course, it's important to make sure that you have the right key in your possession, so exchanging fingerprints is probably a good idea, but if it's my brother or boss, is verifying their identification really that important?
One thing to remember, is that you are only verifying identity, not identification. It's not critical knowing whether or not the person can drive or travel out of the country. It's only important to verify their identity. Of course, if you don't know them, then using some government-issued identification is important.
When using GnuPG to sign someone's key, you will be asked how careful you have checked their identity. The responses are as follows:
- I will not answer. (default)
- I have not checked at all.
- I have done casual checking.
- I have done very careful checking.
Personally, I will only sign keys if I have done at least casual checking or very careful checking. I will not sign a key if I have not verified the ownership of the key. This weakens the Web of Trust. With that said, if you're interested in receiving a PGP/GPG signature from me, you can take one of the following 4 steps below, and I will sign your key:
I have done very careful checking.
- I will sign your key if we meet in person and exchange government-issued identification and key fingerprints if we don't know each other.
- I will sign your key if we cannot meet in person but someone I ultimately trust notifies me that you want a signature, and gives me your key id verbally or in person.
- I will sign your key without meeting in person and without exchanging identification and key fingerprints if I know you very well personally (such as working with you, going to school with you, family, etc.)
I have done casual checking.
Authentication by sending my a scan of your United States passport or driver license
- Make a color scan of your personal United States passport or driver's license.
- On the color scan, hand write your email address and your key id.
- Compose an email with the resulting document, and digitally sign it with your key.
- Send the email to: email@example.com
Of course, sending me a copy of your passport or driver's license could have some identity fraud ramifications. I am certainly not interested in committing identity fraud, but to be assured, you can black out your address, social security number, birthday, passport number and/or driver's license number. Basically, I only need enough information to identify the the document and your name. Because we aren't meeting face-to-face, the photo isn't necessary. I'll remain in contact with you, if too much of the document has been removed, or the scan is unclear, or whatever. Please encrypt the mail and the scans so I am the only one who sees the information. I will securely shred, both physically and digitally, any unencrypted copies, should they be needed.
Authentication using PayPal as a trusted third party
- Send me a $1 USD personal payment as a "Gift" to my PayPal account using "firstname.lastname@example.org" as the email address to send the funds to. If you use a "purchase payment", I will not refund your $1. Pay attention.
- In the "Subject:" field, let me know you wish for me to sign your key.
- In the "Message:" field, give me your email address, your key id and your PayPal transaction number.
- Send a signed and encrypted email to email@example.com letting me know you've done so, and make sure that your email is signed with the key you wish to have signed.
- After I have received the dollar and your signed email, I will sign your key and send the dollar back to you.
My key, pub 1024D/8086060F 2004-09-18 Aaron Toponce <firstname.lastname@example.org> is in the "Strong Set". Statistics on my key.
Inspired by Folkert VanHeusden.