Updated Cryptographic Trust Policy

To further enhance the robustness of cryptographic trust between my friends and myself, I have updated my cryptographic trust policy and developed a management system to administer it more consistently and uniformly. As of today, all previously established cryptographic trust relationships are no longer valid. Everyone must re-establish cryptographic trust with me using a valid OpenPGP key. You are responsible for safeguarding your private key in a secure location, protected from any potential compromise by Mallory.

To establish cryptographic trust with me, you must possess a valid OpenPGP keypair, demonstrate the consistency between your OpenPGP public key and your initial identity (the identity you were using when you first got in touch with me), and then demonstrate the consistency between your OpenPGP public key and your other identities.

Detailed guidelines are provided below.

Jabber

You must verify the OMEMO fingerprints associated with your Jabber account. Use your OpenPGP key to sign the following text:

I hereby formally acknowledge that the Jabber/XMPP account username@example.org is associated with and under the control of the individual whose OpenPGP key has the fingerprint XXXX. The following OMEMO fingerprints are hereby confirmed as valid for this account:
AAAAAAAA
BBBBBBBB
......

Replace username@example.org, XXXX, AAAAAAAA... with your actual information.

Matrix, Tox, and Session

You only need to verify your identifiers. For example, with Matrix:

I hereby formally acknowledge that the Matrix account @username:example.org is associated with and under the control of the individual whose OpenPGP key has the fingerprint XXXX.

If you use Tox or Session, use your Tox ID or Session ID instead of your Matrix account.

SimpleX

You only need to verify your SimpleX security code. Open my contact details page to obtain the security code.

I hereby formally acknowledge that the SimpleX account with the security code YYYYYY is associated with and under the control of the individual whose OpenPGP key has the fingerprint XXXX.

Email

To prove that the mailbox belongs to you and is trusted by you, simply send a signed (or preferably encrypted) email using OpenPGP to my mailbox.

Briar

Since Briar allows only one login per account, proving that the account belongs to you effectively proves that no one else can access it. This is as straightforward as signing a random piece of text that I provide and sending it back to me.

Telegram, Signal, Carrier SMS/MMS, etc.

These communication tools lack built-in trust management, identity verification mechanisms, and local, single-login-only accounts. Some do not even support end-to-end encryption. Therefore, it is not possible to establish a cryptographic trust relationship with me through these platforms. However, you may still prove ownership of such accounts by signing a text containing your relevant identifiers.

For example, if you use Telegram:

I hereby formally acknowledge that the Telegram account @username is associated with and under the control of the individual whose OpenPGP key has the fingerprint XXXX.

Real Identity

You will need your identity card or resident card. Only documents issued in mainland China, Hong Kong, Macau, Taiwan, France, Germany, or Japan are accepted. You must also have OpenKeychain installed with your OpenPGP secret key imported.

Then follow these steps:

1. Make an appointment with me;
2. Bring your identity card or resident card;
3. Open OpenKeychain and navigate to your OpenPGP key’s page, hold your phone in the correct position, and I will take a photo of you:

4. Present your identity card/resident card so I can verify your identity;
5. Sign a piece of text using OpenPGP.

If you are using a resident card issued in mainland China, Hong Kong, Macau, Taiwan or Japan:

I hereby formally acknowledge that the identity card issued in the name of ZHANG SAN (张三), bearing the identification number AAAA, is associated with and under the control of the individual whose OpenPGP key has the fingerprint XXXX.

Otherwise:

I hereby formally acknowledge that the identity card issued in the name of John Appleseed, bearing the identification number AAAA, is associated with and under the control of the individual whose OpenPGP key has the fingerprint XXXX.