Share Button

OpenPGP Signing policy

All signings will be made from the key 0x34390D13. It is available on public keyservers ; you should check sks-keyservers.net (their key server is : hkps://hkps.pool.sks-keyservers.net).
My key’s fingerprint is :

5634 1BF4 0E54 8075 5498  5CB8 1C6C 38E3 3439 0D13

You might find other key with my name or email. These keys are either corrupted, revoked or lost. It would be wise never to use them.

I don’t use expiring signature. I guess it does not make sense.

Finally, I came to think about it and I decided not to sign photos included in keys. We both evolve (fortunately) and photos will probably not be accurate in the coming weeks/months/years. (Just have a look at your driving license if your french, you probably changed a lot since it :D).

Prerequisites for signing:

  • A printed/written copy of the fingerprint of you key. Please, use the output of the command
    gpg --fingerprint <KeyID>
  • At the very least, one government-issued ID document with a photo must be presented (French Identity Card, Passport). If you present only one, the french driving license will not be sufficient (it could only be used as a second document).
  • Meeting in person (seems obvious, but better to be said)
  • A well configured OpenPGP key :
    • Confirm you key is configured with your actual name
    • Confirm you have access to the email address you declare in it.
  • If your key includes different uid, it’s not a problem. Just ensure each uid has the same name (needless to say : your name :)).

Signature levels

There are 4 levels of certifications :

  • 0x10 : Generic Certification, Unused. According to the pre-requisitie, we will have to meet. if we meet, it’s not generic, we checked our ID document
  • 0x11 : Persona Certification, Unused. This one is usually ignored by software, thus making it useless.
  • 0x12 : Casual Certification, Used. If everything is fine, I will sign your key with this level
  • 0x13 : Positive Certification, Unused. I don’t use this level as I’m not a Customs Officer and cannot confirm ultimately that the ID documents were not faked or you don’t have a twin (or whatever :)).

Signing process

  1. Meeting
    • This meeting will be in a public place, possibly in a pub. No meeting will happen in a private place. This is said
    • Mutual control of the ID documents. No copy of the document will be taken nor any photo will be taken. Signing a key does not mean breaking our respective privacy 😀
    • Exchange of the fingerprint copies. I cannot remember you key fingerprint and so do you I suppose 🙂
  2. For each ID in your keys (uid in GPG terminology), I will send you back an email with an encrypted attachement
    • Depending on the number, it might take a little bit of time. Please, consider this before reverting after 2 hours. I promise, I will send you the keys !! 😀
    • Each key will be sent to the referenced email address. If you cannot access it, you will not be able to retrieve you signed key :/
    • This page will be referenced during the signing process as “Signing Policy URL”.
  3. When you retrieve your files, just decrypt them and import them in your keyring
  4. Finally, upload your updated key to your favourite keyserver. Please note, I will NOT do it for you. This is the only way to confirm you really own the email addresses you claim.

 5,567 total views,  2 views today

Share Button