While things are a bit out of order on this site, I wanted to write a page on key signing even if I haven't yet written the pages on how to get yourself a key to sign. So apologies to all of those who have no clue what I am on about, but I thought I should get this page going for those that I direct to my site when they ask me to sign one.
I warn you in advance that I am very particular about signing keys and will not do it unless you have done everything that I ask of you. My reason for this isn't to be pedantic but is because, in the case of the Thawte system, I could be liable if I do not and you lie to me or, in the case of a PGP/GPG key, the more thorough I am the more sure that you can be that those who I do sig the keys of are who they say they are.
To give a little background on the subject, the architectures of the two systems are fundamentally different. If I sign a Thawte key I am doing it as an agent for the Thawte company and it is them who guarantees your identity. When I sign a PGP/GPG key I am saying that I have done careful checking and you are who you say you are. Those affected by my signing a PGP/GPG key are those people who have me on their computer 'keyrings' and who have chosen to trust me to verify people's identities. If I sign a Thawte key I am guaranteeing it to people around the world that I have never met.
Despite the differences in my liability I am just as hard on those wanting a PGP/GPG key signed as I am on those who want a Thawte key signed. I reiterate that the more strict I am, the more that you can trust my judgement. I apologise for the geekiness of this page!!!
As an important note, I move between Dunedin and Auckland so people in either are welcome to contact me to be signed. I would love to help bring another Dunedinite up to 100 points as at the moment the only other one here charges. It is in Auckland that I know a lot of others who can make your trip far more worthwhile. Contact me to figure out a time that I am in your city!
As a final note and warning; if I have any doubts whatsoever that the IDs are you or that there is something wrong with those IDs, I will not sign anything of yours so please do not be disappointed.
What You Will Need
In accordance with the policy agreed to by other key notaries and myself, the following policy will be followed. If you want me to sign either a GPG or a Thawte key, you will have to leave me with no doubt as to your identity, but for a Thawte signing we will not award any more than the following points:
- 20 points for each state-issued, photo ID:
- Driver's Licence
- Passport
- HANZ Over 18, state issued photo ID
- 5 points for each state-issued, non-photo ID:
- up to a maximum of the points that we are able to give (in my case 35). In practise, this means that, if possible, you should bring your passport and your driver's license.
For GPG keys, in the absence of two of the above, I would be unlikely to sign your key. It is, however, possible, so please contact me to discuss your options.
Please note that this is for the protection of the system and to ensure the integrity of the web of trust as a whole. Thawte notaries can be liable for up to US$10,000 for a negligent assertion and so it is quite serious.
I can give out up to 35 Trust Points that allow Thawte 'Web of Trust' members to put their names on a free, guaranteed certificate for use in nearly any email program from Outlook to Thunderbird or KMail. 35 is the maximum number of points that anyone can give and not only do I not charge for the service but I know others who are the same (Chris K. Young for example who was the first to do it for free). With any luck a meeting could be organised to get you fully notarised in one meeting. I will soon put up a page on how the different webs of trust work, but, in brief, not only do you benefit from getting trust points (if you get 50 you can put your name on your certificate so that they guarantee your name as well as your email and at 100 points you can notarise others) but the number of trust points that a notary can give out increases as they do more signings. The problem is that it is a real effort for people to go and get signed by someone who can only give out 10 points so that person can never give out more. The result is that people like myself who can give out 35 are the only ones visited and the system doesn't get more efficient. My aim is to organise things a little better and attempt to make people a notary in one meeting by having enough people present but, in addition, I intend to encourage those people who can give out less to join me so that they can give out more next time and it is easier for people to find notaries close to them. I also would like people to get over 100 in their first meeting as, aside from altruism, there is little incentive for those who make it to 50 points (enough to get their certificate named) to get the extra 50 and notarise others. Please email me for details webmaster@whitehouse.org.nz
As I said above, when I sign a Thawte key I am doing it as an agent for Thawte so I must abide by their rules. One thing that they are exceptionally strict about is the state-issued photo ID so, even if you have one hundred other forms of ID but not the required ones, I will not be able to notarise you. Details on their requirements are available on their site, but they should be in line with what you read here.
It would also be useful for you to fill in this form which was taken from their site. A more recent version may be available from them but if you fill in any of them and bring it along it will mean that you have most of the information at your fingertips that will be necessary.
In addition to the list above, you will also need to bring me a photocopy of the forms of ID that you are getting me to check. I am required to get this off you and keep it for a set amount of time so you must make sure that you do so. Obviously the photocopy must match those forms of ID that you bring to me.
In a PGP/GPG Web of Trust, the individual user is the most important. You are able to tweak all of your settings regarding who you will trust and it is the keys that you sign which determine who you will trust. It is almost a 'friend of a friend' set up where at the first instance you personally check people's IDs and sign their key so that your computer trusts them, but you also allocate some of that responsibility to others that you sign. This means that if, for example, you and I were to check each other's IDs and you believed me to be careful at identity checking you may tell your computer to trust anyone that I signed the key of. Alternatively you may tell your computer to trust those who I sign as long as somebody else that you trust backs up my opinion. Using GPG it is entirely up to you.
When signing your key I will need, in addition to the above ID, a copy of the 'Fingerprint' of your key. This is important because without it I would know that you were you but would not know that the key belonged to you. I do not need a photocopy of your ID for this
If you wish to sign my key I will bring along my ID and fingerprints. Having me sign yours will allow others to trust you, but will not increase the number of people that you can trust. I do my best to maintain a key from the encryption.net.nz domain that has as many encrypters (especially NZ encrypters) on it as possible to do my part for the Web of Trust. It is up to you completely whether you wish to sign my keys (I have a personal key and the one for signing others I just mentioned).
If there is sufficient demand there are people who are keen to have a mass meeting for everyone to sign everyone else's. If you have both a Thawte key and a PGP/GPG key then let me know beforehand and I can sign both for you.
