OpenPGP keysigning policy and procedure

Ce texte est en anglais pour simplifier sa distribution et consultation

What is the “Web of Trust” ?

The Web of Trust (or WOT) is a very simple principle. You decide who you trust and based on that, you validate their identity by signing their digital certificate. When using x.509 technologies this is mostly known as notarization. When using OpenPGP, this is known as public key signing. Events where people gather to do this are often called notarization parties or keysigning parties, respectively.

How do I get my OpenPGP public key(s) signed ?

OpenPGP keysigning implies trust and validity is recognized by the person signing your public key(s). To get me to sign your personal or business OpenPGP public key, please follow these steps:

  • Carefully review my keysigning policy (see below). If you do not accept it, please do not contact me.
  • Make sure you understand the principles of the OpenPGP web of trust, as described in the Web of Trust section of Introduction to Cryptography (Ch. 1, p. 33)
  • Contact me via this online form to check for my availability. I live in Montreal, QC, Canada, but you may check if I am not available at an event in another city/country.
  • Let me know how to get your public key, pleas include the full fingerprint (0xXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX) in your message

We will then arrange for a meeting in person during which I will verify your ID information, prior to signing your public key(s).

Please show up. If you don’t, please call me. If you don’t call me, I won’t like it 🙂

Keysigning policy

This policy has been in effect and strictly applied to all notarization and keysigning services I have performed in the past.

  • I am not available to notarize people individually more than once a month, unless we have a special arrangement or we meet at a public event.
  • I will only notarize people with documents from Canada and from Colombia. Here is my policy regarding the documents you’ll need:
    • Two (2) of such documents must be your medicare card (assurance maladie), your driver’s license, your birth certificate or your passport
    • At least 2 of the documents must have a photo, and the photos must look like you
    • A sheet where you list all you key(s) UIDs, key type(s) and OpenPGP fingerprint(s).


      Here is an example showing how to get such information using gpg from command line:
      $ gpg --fingerprint 0x20FA07A1456F954D
      pub 4096R/0x20FA07A1456F954D 2014-02-12 [expires: 2015-02-11] Key fingerprint = 33A5 1773 78A1 F015 68BD CEFD 20FA 07A1 456F 954D
      uid [ultimate] John Doe
      sub 4096R/0xFB9779399FA8D689 2014-02-12 [expires: 2015-02-11] Key fingerprint = CC85 02D4 FF6B 8559 93AD 607C FB97 7939 9FA8 D689

    I will only assert your ID based on foreign documents if your key is signed by at least two (2) other people I have previously signed. Please do not insist on this.

    Pricing

    • I won’t charge you if you are also signing all of my public keys (currently 2)
    • I don’t charge anything to co-workers, close colleagues or other free software project contributors
    • I won’t charge you if you have a valid student or teacher ID along with a current schedule/invoice

    If you don’t meet any of the conditions above, I will charge 10$ if you are alone, 5$/person for a group of 2+.

    More about the OpenPGP Web of Trust

    To learn more about the OpenPGP Web of Trust, I suggest the following links:

    • GPG Keysigning party guide – a guide to organizing an OpenPGP keys exchange event
    • Biglumber.com – a site where you can make yourself available or find an individual or an event where other OpenPGP key holders will be able to sign your key and certify your identity.
    • Keyanalyze reports (now outdated) – verify the level of trust according to MSD, mean shortest distance to other OpenPGP keys
    • OpenPGP key pathfinder – find the trust path of signaturesbetween your key and somebody else’s