I use PGP and encourage you to as well. This page lists my PGP keys and their fingerprints. However, this page should not be considered an authoritative source; this page is for reference only. Please use a fingerprint obtained in person for signing purposes.
Active PGP Keys
My PGP key is listed below and is also published on the SKS keyservers.
Key ID: 4D8BD439
Key Signing Policy
I believe key signing to be a critical part of building the Web of Trust and in furthering the necessary adoption of encryption. As such, I am willing to sign keys whose fingerprints I have received in person, accompanied by relevant identifying documents.
If you want me to sign your key here is procedure I wish to follow:
- We meet in person at a pre-arranged time and place.
- You bring the following:
- A printed copy of your key fingeprint (the output of
gpg --fingerprint). A hand-written copy is acceptable.
- A government-issued photographic ID. Preferably two forms of ID, only one of which should be government-issued.
- The UIDs you want me to sign. It’s preferable if at least your primary UID matches your legal name as printed on your photographic ID. I will only sign UIDs you ask me to sign.
- If you are also willing to sign my key, I will bring the appropirate documents to comply with this policy.
- I will verify your IDs and mark the printed fingerprint in your presence to indicate it came from you.
- Upon returning home I will retrieve your key from a public keyserver and verify it matches the fingerprint given to me by you. (Please have your key available on the SKS keyservers if possible.)
- I will sign each UID request and encrypt it to your key, sending only the signature on each UID to the corresponding email address.
Note that I do reserve the right to not sign your key if I am still unsure about your identity. This should be rare, but I will tell you whether you should be able to expect a signed key after we meet.
My personal policy for the various trust levels follows:
- sig0 - I do not sign keys at this level.
- sig1 - I will sign company or organization keys at this level. I do not sign personal keys at sig1.
- sig2 - I will sign UIDs that are not associated to an email address (e.g., photo UIDs) as sig2.
- sig3 - A signature pursuant to the procedure outlined above (assuming at least two forms of identification are provided) will be a level 3 signature. I will not sign keys of anyone I have not met in person at this level.
I am willing to sign keys at conferences. If you are interested in getting your key signed by me at a conference where there is no formal (official or otherwise) keysigning event, please contact me via Twitter @jcarouth or email. Twitter is preferable as I will likely be paying more attention to that medium than email. I prefer if you contact me prior to a break (lunch, in-between sessions, the after party, etc.) and arrange for us to meet somewhere where we can get through the verification peacefully.
I will make an effort to sign keys while at the conference, but at a minimum I will sign any keys I’ve agreed to sign within two weeks of returning home from the conference.