GPG Keysigning Policy

Last updated 2013-07-20

Signature levels

Level 0 (generic certification)

I will issue this type of signature for keys that represent a group or an organization. My signature on such a key indicates only that I am “pretty sure” that there is a correspondence between the key and the group.

Level 1 (persona certification)

I do not use this type of signature.

Level 2 (casual certification)

I will issue this type of signature for pseudonymous keys. In this case I have determined only that the same person controls the key and the e-mail addresses listed in the signed UIDs. No claim is made regarding the connection between the key and any real-life identity.

Level 3 (positive certification)

I will issue this signature if I have personally met the keyholder and verified their identity according to the procedure below.

Signing procedure

I will meet with another user in reasonable conditions and verify his or her identity against a government-issued photo ID. I will accept a passport from any country or a driver's license. The user must present me with a written record of the key fingerprint and list of the UIDs to be signed.

Additionally, I will sign keys without checking any form of ID if people I trust personally confirm the person's “identity”. This is especially true for keys with pseudonymous user IDs. In my opinion, the PGP web of trust is not meant to rely on or force government identification. I do support the notion of “multiple identities”. I purposely do not distriminate between keys that I have signed using this policy or the one where I check government-issued ID. Note that my signature explicitly does not rely on a direct trust relation btween me and the keyholder, but on trust relations between people I trust and the keyholder (indirect trust).

I will send the signed key to the keyholder only; the keyholder can distribute these as he or she sees fit. My signature for each UID will be delivered to that UID only, so my signature on e.g. an e-mail address confirms that the key owner has access to that e-mail address. I will sign UIDs containing photos, XMPP addresses, etc. at my discretion. If the UIDs I signed contain contact information, each signature will be sent to the corresponding address, encrypted if possible. If some UIDs do not specify contact information, the signature for these UIDs will be sent to the address on one of the other signed UIDs. If none of the UIDs to be signed give contact information then the keyholder must specify during our meeting where the signatures should be sent.


iQIcBAEBCgAGBQJR6/H+AAoJEOmGAeddqPzU/80P/35gQWDc8BuqTJBTe2zfMrDj zwgXH4LRzvMXVEdNPJkjNhA7OtpKWG4v0bAcO4uHOn8D0RuzN0qNp3Kb7/zdYRbs OrkTvIGIa/ebqVX/g9o9dpQP4KVe1DLysIJ+ux75k67sB6WbnSAUpxrNFrhVYIoF FbuZDt1uvV8b5wtYCaWJePSqCnwp8rt9KvF8Ll3yiExiP/EgYfT7y/En+Z0aJaRr PBpp8bkyIZ7V00aniN4JEK3UNMdFAbWEez4PKdkxOIiNGoBOsRhMmhPvGD2nKiPI yHSTotC6ES6QbcVaKZL2bS1Hi52R+h5vrf64uTNZqYzyWljbujwChY1Kgu6zve/H m6NMOriL48VdMa543WteomcB4LavUk/KqYphzP3/Tf06h/gpLgqRF2QgxxKT85v3 5xF4kqRvncp5nZ3DFyhGOs+QAPnVbWDZvZWkrvDyEaHpeAoYQ8TvRuMlEmeVMPgW oIDXBscTy+65EotuV+N8BU/wit3tkTeBX/yKHE2yrvbvQOocOLutgPLDA77a8HLZ 4+lXrcSmizoqWY+KrAv2OUzkTX2zZhS61OR9/4XlJZT15R47yvkgX+hCyNtq4GYp KeJvIxH+ED+VQAyGSiI1Tco8jFx9CZUP9koVm7erM5rCnyRMG1JfbUTh6JEMxUUZ 7JCdFP39zMeSGHTaZD2p =m+B1 —–END PGP SIGNATURE—–

keysigning-policy.txt · Last modified: 2013/07/21 16:38 by moritz