OpenPGP Key Signing Policy


Too Long; Didn't Read

Do you want me to sign your key? Here's how to do it:

  1. You better want to sign my key as well!

  2. Meet me somewhere reasonable for tea or a meal and pleasant conversation.

  3. Give me a hard copy of your key's fingerprint and any photo IDs on it.

  4. Let me check two of your identity documents. One of them must have your picture.

  5. Afterwards, when I'm somewhere I think it's safe to certify, I'll sign your key and send it back to you.

Easy enough? If you want more details, you can read all the stuff below.


Preamble

This policy is valid from 2019-02-01 for all signatures made by the GnuPG key:

pub   ed25519/0x1206BA5EDDF2FDF9 2018-04-04 [C] [expires: 2021-05-04]
      Key fingerprint = F4D7 9338 6981 E0AC A9C4  2787 1206 BA5E DDF2 FDF9
uid                   [ultimate] Don San Juan Geronimo <don.geronimo@outlook.com>
uid                   [ultimate] Don San Juan Geronimo <dgeronimo@gmail.com>
uid                   [ultimate] [jpeg image of size 2890]
uid                   [ultimate] Don San Juan Geronimo <don.geronimo@protonmail.com>
sub   ed25519/0xDC0A387056744A2B 2018-04-04 [S] [expires: 2021-05-04]
      Key fingerprint = EE1F 7325 DFBD BCC0 DFD3  6A18 DC0A 3870 5674 4A2B
sub   ed25519/0xA79673B8333FC968 2018-04-04 [A] [expires: 2021-05-04]
      Key fingerprint = E7F4 E62F E8D3 8F09 4134  8820 A796 73B8 333F C968
sub   cv25519/0xAE4F8CA08CA05195 2018-04-18 [E] [expires: 2021-05-04]
      Key fingerprint = CA2C 93F4 3CBD 42FD 0518  4839 AE4F 8CA0 8CA0 5195
sub   ed25519/0xD792A6A6A54411F8 2018-04-19 [S] [expires: 2021-05-04]
      Key fingerprint = 275C D5D3 06C1 D005 4AFB  4DF3 D792 A6A6 A544 11F8
sub   ed25519/0x96AF810A89F1EF11 2018-04-19 [S] [expires: 2021-05-04]
      Key fingerprint = 91D2 533F 56A9 2525 1A72  EA87 96AF 810A 89F1 EF11
sub   ed25519/0x6CD7758FEC107730 2018-04-19 [A] [expires: 2021-05-04]
      Key fingerprint = AB7D 7A52 0495 F262 5CAF  C2E3 6CD7 758F EC10 7730
sub   ed25519/0x5FC7268E77416053 2018-04-19 [S] [expires: 2021-05-04]
      Key fingerprint = 04DC C5DE 26FE 596F 505D  7A5B 5FC7 268E 7741 6053

The most recent version of this key is available from the URL above, from the key server at hkps.pool.sks-keyservers.net, or from keybase.io/sentamalin.

This policy may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one.

This OpenPGP Key Signing Policy is signed with the above key and by Keybase. You may download this policy and its PGP signature for reference and verification.

Version Information and Changelog

This is Version 4.3, written and signed 2019-02-01. Removed 'themindfulworkflow.com' e-mail.

Previous Versions:

Transition To New Key

I have finished my transition from the OpenPGP key with ID 0xF38DF8734C9BDE48 to the key with ID 0x1206BA5EDDF2FDF9. The previous key has been revoked. Please refer to my transition statement for more information.

About keybase.io

From Wikipedia: "Keybase is a key directory that maps social media identities to encryption keys (including, but not limited to PGP keys) in a publicly auditable manner. Keybase offers an end-to-end encrypted chat and cloud storage system, called Keybase Chat and the Keybase filesystem respectively. Files placed in the public portion of the filesystem are served from a public endpoint, as well as locally from a filesystem mounted by the Keybase client."

As of 2018-04-13, I have transitioned my OpenPGP Key Signing Policy from OneDrive and themindfulworkflow.com to my Keybase public files. Its feature of identity proofs allow me to prove a link, cryptographically, between my PGP keys, my social media accounts, my website, and my authorized Keybase devices. The system will check the proofs automatically, or you may check the relevant proofs manually. In short, any activity on Keybase can be proved to be done by the account 'sentamalin' on Keybase or any of the proven identity assertions (Twitter, Reddit, Github, Hackernews, Facebook, my website, and any future assertions) provided by the service. Because my PGP keys are also proven on Keybase, signing my keys will not only help build my PGP Web of Trust to prove that this key is owned by me, but will also help assert that I (Don San Juan Geronimo) am 'sentamalin.'

All files dropped into the public portion of Keybase are signed by my one of my authorized device keys. As such, my Signing Policy has been signed by one of my Keybase authorized devices in addition to my PGP keys.

I invite you to create a Keybase account of your own as another complement to your privacy tools. If you create, or already have, an account, please verify my proofs and 'follow' me on Keybase. Following is like taking a signed snapshot of my identity using your private key on Keybase, thus certifying that I am me. Following is not a web of trust; my identity can be proved even if there are no followers. However, more followers means more confidence in my identity.

Location

I currently reside in the western suburbs of Chicago, Illinois, United States. However, as a flight attendant, my profession takes me to various places around the continental United States. As such, the easiest way to meet with me to coordinate key verification would be to contact me via e-mail or Keybase to arrange a meeting.

Levels of Signatures

I utilize two certification levels:

I do not utilize Level 1 (0x11) or Level 2 (0x12) certification levels.

Keys of Certification Authorities (CAs)

Keys of CAs are keys owned by a whole organization and not by an individual. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by the Identity Verification procedures described below. If a viable procedure for verifying the 'identity' of a CA's keys is made known to me, I will add procedures for keys of CAs to the Identity Verification section. Until then, I will not sign keys owned by CAs.

Prerequisites for Signing

Identity Verification

The signee must prove their identity to me by way of a national ID card, a driver's license, or a similar identity document. The identity document must feature a photographic picture of the signee. This also implies that the signee's key must feature their real name.

In addition, the signee must provide a secondary form of identification that includes their name, with or without a picture. Acceptable examples include, but are not limited to, a business card, a conference badge, a credit card, or an additional identity document as defined in the last paragraph.

Hardcopy of Fingerprint

The signee should have prepared a printout of the output of gpg --fingerprint for their key (or the equivalent command of their OpenPGP client). I will keep this copy for reference.

A hand-written sheet featuring the key ID, the fingerprint, and all user IDs the signee wishes to obtain a signature to will also be accepted.

If the signee wishes to obtain a signature to a photographic user ID, the printout should contain the image of that photographic user ID. A printout or photocopy of a photo clearly showing the same person as in the photographic user ID will also be accepted.

Miscellaneous

The Act of Signing

Fingerprint Verification

At a secure location I will verify the key's fingerprint using the hardcopy of the fingerprint that has been given to me.

Email Verification

After successful fingerprint verification, I will sign all user IDs which I was asked to sign. Each signature is then individually sent to the email address listed in the corresponding user ID, enciphered to the signee's key.

As only the signee can decipher and thus publish the signatures, it is warranted that the email addresses listed in each user ID with a published signature belongs to the signee.

Thank You For Visiting!

-Don Geronimo, 2019-02-01 012201Z

You Are At: /keybase/public/sentamalin/signingPolicy