Image of the glider from the Game of Life by John Conway
Skip to content

PGP Keysigning Policy

This document is digitally signed here. Please verify that the signature is valid with my public key. Below is an HTML version of that document.

When signing PGP/GPG keys, you are stating that you've inserted a level of trust with the owner of the key. This trust is necessary for the OpenPGP ecosystem, as OpenPGP is a distributed system that does not rely on a central authority, such as Verisign. Thus, the more signatures that exist in a single key, the more that key can be trusted. The more keys that contain signatures and sign each others keys, the larger the Web of Trust.

It's important to understand that signing each others PGP/GPG keys means you trust them. However, it's possible that we've gotten a little over zealous in the process. Really, is it necessary to check identification, even if you already know the individual? Of course, it's important to make sure that you have the right key in your possession, so exchanging fingerprints is probably a good idea, but if it's my brother or boss, is verifying their identification really that important?

One thing to remember, is that you are only verifying identity, not identification. It's not critical knowing whether or not the person can drive or travel out of the country. It's only important to verify their identity. Of course, if you don't know them, then using some government-issued identification is important.

When using GnuPG to sign someone's key, you will be asked how careful you have checked their identity. The responses are as follows:

  1. I will not answer. (default)
  2. I have not checked at all.
  3. I have done casual checking.
  4. I have done very careful checking.

Personally, I will only sign keys if I have done at least casual checking or very careful checking. I will not sign a key if I have not verified the ownership of the key. This weakens the Web of Trust. With that said, if you're interested in receiving a PGP/GPG signature from me, you can take one of the following 4 steps below, and I will sign your key:

I have done very careful checking.

  • I will sign your key if we meet in person and exchange government-issued identification and key fingerprints if we don't know each other.
  • I will sign your key if we cannot meet in person but someone I ultimately trust notifies me that you want a signature, and gives me your key ID verbally or in person.
  • I will sign your key without meeting in person and without exchanging identification and key fingerprints if I know you very well personally (such as working with you, going to school with you, family, etc.)

Because I am requesting that you share with me your government-issued identification, such as a passport or driver license, feel free to put small stickers covering personally identifiable information. Feel free to block out your address, social security number, birthday, password and/or license number. I only need enough information to identify the document, your face, and your name. Because we are meeting face-to-face over video conference, please leave the photo on the identification documents visible.

No more Tox
I have stopped using Tox, or any video messaging for this level of security. Tox development, for all practical purposes, is dead. The forks never gained traction, then died. There has been fighting in and out of the project about Tox development. Developers and users alike, have for various reasons, abandoned the project. Simply put, I'm not interested in supported a project that as abandon-ware. Sorry about that, but back to meeting in person if you want signatures of this level.

I have done casual checking.

Authentication by sending me a scan of your United States passport or driver license

  • Make a color scan of your personal United States passport or driver's license.
  • On the color scan, hand write your email address and your key id.
  • Compose an email with the resulting document, and digitally sign it with your key.
  • Send the email to: aaron.toponce@gmail.com

Of course, sending me a copy of your passport or driver's license could have some identity fraud ramifications. I am certainly not interested in committing identity fraud, but to be assured, you can black out your address, social security number, birthday, passport number and/or driver's license number. Basically, I only need enough information to identify the document and your name. Because we aren't meeting face-to-face, the photo isn't necessary. I'll remain in contact with you, if too much of the document has been removed, or the scan is unclear, or whatever. Please encrypt the mail and the scans so I am the only one who sees the information. I will securely shred, both physically and digitally, any unencrypted copies, should they be needed.

Authentication using Keybase as a trusted third party

Keybase is a social cryptography site for lay people. It's built on the concept that people have established identities online, and if I am reasonably confident you are who you claim to be with those identities, and you securely sign a proof on those services, then I be strongly assured you are who you claim to be on Keybase, if I trust those social profiles.

In addition to establishing social identity proofs, Keybase provides end-to-end encrypted chat, encrypted file sharing, is fully open source, and other features.

I am atoponce on Keybase. Reach out to me via chat, and we'll go from there.

No more PayPal
I no longer support key signing via PayPal. It was just too much work than I anticipated, and if I didn't act promptly on that $1 donation, such as missing the notification email that $1 was donated, I had some cranky replies. So, no more PayPal. Sorry. Please use Keybase instead.

My key, pub 1024D/8086060F 2004-09-18 Aaron Toponce <aaron.toponce@gmail.com> is in the "Strong Set". Statistics on my key.

your key id :

Inspired by Folkert VanHeusden.