When signing PGP/GPG keys, you are stating that you've inserted a level of trust with the owner of the key. This trust is necessary for the OpenPGP ecosystem, as OpenPGP is a distributed system that does not rely on a central authority, such as Verisign. Thus, the more signatures that exist in a single key, the more that key can be trusted. The more keys that contain signatures and sign each others keys, the larger the Web of Trust.
It's important to understand that signing each others PGP/GPG keys means you trust them. However, it's possible that we've gotten a little over zealous in the process. Really, is it necessary to check identification, even if you already know the individual? Of course, it's important to make sure that you have the right key in your possession, so exchanging fingerprints is probably a good idea, but if it's my brother or boss, is verifying their identification really that important?
One thing to remember, is that you are only verifying identity, not identification. It's not critical knowing whether or not the person can drive or travel out of the country. It's only important to verify their identity. Of course, if you don't know them, then using some government-issued identification is important.
When using GnuPG to sign someone's key, you will be asked how careful you have checked their identity. The responses are as follows:
- I will not answer. (default)
- I have not checked at all.
- I have done casual checking.
- I have done very careful checking.
Personally, I will only sign keys if I have done at least casual checking or very careful checking. I will not sign a key if I have not verified the ownership of the key. This weakens the Web of Trust. With that said, if you're interested in receiving a PGP/GPG signature from me, you can take one of the following 4 steps below, and I will sign your key:
I have done very careful checking.
- I will sign your key if we meet in person and exchange government-issued identification and key fingerprints if we don't know each other.
- I will sign your key using live video conferencing using uTox and sharing government issued identification. My Tox ID is 30861A76AC69FEB7DA042DFD75F30574CEE3C6498DF9DD766E1D78FC5CB4693CA10BD381F696. I am not interested in using centralized chat protocols, such as Ekiga, Jitsi, Skype, Google Hangouts, Facetime, etc.
- I will sign your key if we cannot meet in person but someone I ultimately trust notifies me that you want a signature, and gives me your key ID verbally or in person.
- I will sign your key without meeting in person and without exchanging identification and key fingerprints if I know you very well personally (such as working with you, going to school with you, family, etc.)
Just a brief comment about Tox. Tox is an end-to-end encrypted and decentralized communications tool. This means that the man in the middle server is completely removed from the equation, and we can have an "off the record" conversation validating each other's identities. Because I am requesting that you share with me your government-issued identification, such as a passport or driver license, feel free to put small stickers covering personally identifiable information. Feel free to block out your address, social security number, birthday, password and/or license number. I only need enough information to identify the document, your face, and your name. Because we are meeting face-to-face over video conference, please leave the photo on the identification documents visible.
I have done casual checking.
Authentication by sending me a scan of your United States passport or driver license
- Make a color scan of your personal United States passport or driver's license.
- On the color scan, hand write your email address and your key id.
- Compose an email with the resulting document, and digitally sign it with your key.
- Send the email to: firstname.lastname@example.org
Of course, sending me a copy of your passport or driver's license could have some identity fraud ramifications. I am certainly not interested in committing identity fraud, but to be assured, you can black out your address, social security number, birthday, passport number and/or driver's license number. Basically, I only need enough information to identify the the document and your name. Because we aren't meeting face-to-face, the photo isn't necessary. I'll remain in contact with you, if too much of the document has been removed, or the scan is unclear, or whatever. Please encrypt the mail and the scans so I am the only one who sees the information. I will securely shred, both physically and digitally, any unencrypted copies, should they be needed.
Authentication using PayPal as a trusted third party
Authentication using PayPal now requires using a "verified account". Please see https://www.paypal.com/webapps/mpp/security/verification-faq for more information. There may be some limitations for users outside of the United States. Consider using Tox if so.
- Send me a $1 USD personal payment as a "Gift" from your verified account to my PayPal account using "email@example.com" as the email address to send the funds to. If you use a "purchase payment", I will not refund your $1. Pay attention.
- In the "Subject:" field, let me know you wish for me to sign your key.
- In the "Message:" field, give me your email address, your key id and your PayPal transaction number.
- Send a signed and encrypted email to firstname.lastname@example.org letting me know you've done so, and make sure that your email is signed with the key you wish to have signed.
- After I have received the dollar, your signed email, and have verified your PayPal account, I will sign your key and send the dollar back to you.
My key, pub 1024D/8086060F 2004-09-18 Aaron Toponce <email@example.com> is in the "Strong Set". Statistics on my key.
Inspired by Folkert VanHeusden.