Benjamin Esham

PGP Key Signing Policy

I have two active PGP keys: a work key for Ellucian business and a personal key for everything else. This signing policy applies to both keys, although the only keys I will sign with my work key will be those of professional contacts. I also have an older personal key (revoked in favor of the newer one) and a Bristol Instruments key (revoked when I stopped working there).

Here’s a summary of my personal key:

4096-bit RSA public key
Creation date: 2014-09-19
Short fingerprint: 79974D79
Fingerprint: E663 1535 1E9B 2ACF 357F  5C34 F533 D909 7997 4D79

uid                  Benjamin D. Esham <benjamin@esham.io>
sub   4096R/ED4B0EC6 2014-09-19

My Ellucian key:

4096-bit RSA public key
Creation date: 2016-03-25
Short fingerprint: C04792B7
Fingerprint: D804 521D FA80 20E0 2146  92AE E619 4C96 C047 92B7

uid                  Benjamin D. Esham (Ellucian)
                     <benjamin.esham@ellucian.com>
sub   4096R/413048BF 2016-03-25

My old personal key:

1024-bit DSA public key
Creation date: 2000-09-19
Revocation date: 2015-02-12
Short fingerprint: D676BB9A
Fingerprint: C385 21B9 B701 6D1B 67C6  2705 CCE0 B74D D676 BB9A

uid                  Benjamin D. Esham <benjamin@bdesham.info>
uid                  Benjamin D. Esham <bdesham@gmail.com>
uid                  Benjamin D. Esham <esham2@illinois.edu>
uid                  [jpeg image of size 9723]
sub   4096R/A6893A49 2010-08-01 [expires: 2015-08-01]

My Bristol Instruments key:

2048-bit RSA public key
Creation date: 2013-08-09
Revocation date: 2016-03-18
Short fingerprint: AF06F2DD
Fingerprint: 0F31 B387 E434 790B 3A7F  4B6E 4884 391E AF06 F2DD

uid                  Benjamin Esham (Bristol Instruments, Inc.)
                     <benjamin.esham@ellucian.com>
sub   2048R/B5E5F3BF 2013-08-09

The MIT PGP Public Key Server should have the latest versions of my personal and work keys.

If you wish to contact me, please use the esham.io email address given in my personal key.

Signature levels

Level 0 (generic certification)
I will issue this type of signature for keys that represent a group or an organization. My signature on such a key indicates only that I am “pretty sure” that there is a correspondence between the key and the group.
Level 1 (persona certification)
I do not use this type of signature.
Level 2 (casual certification)
I will issue this type of signature for pseudonymous keys. In this case I have determined only that the same person controls the key and the email addresses listed in the signed UIDs. No claim is made regarding the connection between the key and any real-life identity.
Level 3 (positive certification)
I will issue this signature if I have personally met the keyholder and verified their identity according to the procedure below.

Signing procedure

I will meet with another user in reasonable conditions and verify his or her identity against a government-issued photo ID. I will accept a passport from any country or a driver license from a U.S. state. The user must present me with a written record of the key fingerprint and list of the UIDs to be signed.

I will send the signed key to the keyholder only; the keyholder can distribute these as he or she sees fit. My signature for each UID will be delivered to that UID only, so my signature on e.g. an email address confirms that the key owner has access to that email address. I will sign UIDs containing photos, XMPP addresses, etc. at my discretion. If the UIDs I signed contain contact information, each signature will be sent to the corresponding address, encrypted if possible. If some UIDs do not specify contact information, the signature for these UIDs will be sent to the address on one of the other signed UIDs. If none of the UIDs to be signed give contact information then the keyholder must specify during our meeting where the signatures should be sent.

Version history