OpenPGP Key Signing Policy

Preamble

This policy is valid from 2017-5-7 for all signatures made by the GnuPG key:

pub 4096R/0xF38DF8734C9BDE48 2015-02-08 [expires: 2018-05-23]
    Key fingerprint = 76A9 6C10 7ACB E8BB C452  D75A F38D F873 4C9B DE48
uid Don San Juan Geronimo <don.geronimo@outlook.com>
uid Don San Juan Geronimo <dgeronimo@gmail.com>
uid [jpeg image of size 2973]
uid Don San Juan Geronimo <don.geronimo@themindfulworkflow.com>
sub 4096R/0x053C72FC2C2C6DE3 2015-02-08
    Key fingerprint = 9864 75A7 DEBA 7ECD 712E  D3E1 053C 72FC 2C2C 6DE3
sub 4096R/0xA44F62EC573729DF 2015-02-08
    Key fingerprint = 411D EC83 4413 58E7 1EC6  F200 A44F 62EC 5737 29DF
sub 4096R/0x2B9A12B2E9402625 2015-02-08
    Key fingerprint = FEDD 64CF 6C3C AF5F 45F8  187D 2B9A 12B2 E940 2625

The most recent version of this key is available from the key server at hkps.pool.sks-keyservers.net.

It may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one.

This OpenPGP Key Signing Policy is signed with the above key. You may download this policy and its signature for reference and verification.

Version Information and Changelog

This is Version 1.2, written 2017-5-7. Key fingerprint was updated after revocation of the ‘creativityzoo.com’ user ID and addition of the ‘themindfulworkflow.com’ user ID. Location information was updated. Minor word changes.

Previous Versions:

Location

I currently reside in the western suburbs of Chicago, Illinois, United States. However, as a flight attendant, my profession takes me to various places around the continental United States. As such, the easiest way to meet with me to coordinate key verification would be to contact me via e-mail to arrange a meeting.

Levels of Signatures

Depending on the character of the key which is to be signed by me I will use different levels of signatures:

  • Level 0: I will issue this level of signature to keys of Certification Authorities (CA) since in most cases the key owner who wishes to obtain a signature to their key from me (hereafter called the “signee”) is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.
  • Level 1: I will issue this level of signature if I have had contact with signee through signed or enciphered e-mail over a time long enough to rule out at least temporary man-in-the-middle attacks, and I have verified the key with a key downloaded from his/her personal web page, or signed emails/fingerprints on public mailing lists, but I have not met the person or verified the key in any other way.
  • Level 2: I will issue this level of signature if I have met the signee in person and verified their identity according to the procedure below.
  • Level 3: I will issue this level of signature if I have met the signee in person and verified their identity according to the procedure below, and if I possess a personal or professional relationship with the keyholder. Photographic UIDs will be signed at this level if I can still remember the signee’s face during the act of signing.

Prerequisites for Signing

Identity Verification

The signee must prove their identity to me by way of a national ID card, a driver’s license, or a similar identity document. The identity document must feature a photographic picture of the signee. This also implies that the signee’s key must feature their real name.

Hardcopy of Fingerprint

The signee should have prepared a printout of the output of gpg --fingerprint for their key (or the equivalent command of their OpenPGP client).

A hand-written sheet featuring the key ID, the fingerprint and all user IDs the signee wishes to obtain a signature to will also be accepted.

If the signee wishes to obtain a signature to a photographic user ID, the printout should contain the image of that photographic user ID. A printout or photocopy of a photo clearly showing the same person as in the photographic user ID will also be accepted.

Miscellaneous

  • The above must take place under reasonable circumstances, i.e. at a calm place, both parties not being in a hurry, etc.
  • The signee should make their public key available on a publicly accessible pgp.net keyserver, such as hkps.pool.sks-keyservers.net.
  • The signee should be willing to cross-sign with me.

The Act of Signing

Fingerprint Verification

At a secure location I will verify the key’s fingerprint using the hardcopy of the fingerprint that has been given to me.

Email Verification

After successful fingerprint verification, I will sign all user IDs which I was asked to sign. Each signature is then individually sent to the email address listed in the corresponding user ID, enciphered to the signee’s key.

As only the signee can decipher and thus publish the signatures, it is warranted that the email addresses listed in each user ID with a published signature belongs to the signee.