This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
keysigning-policy [2013/07/21 16:38]
moritz signed. now ugly.
keysigning-policy [2013/07/21 16:38] (current)
Line 1: Line 1:
-Hash: SHA512 
-====== GPG Keysigning Policy ====== 
-Last updated 2013-07-20 
-===== Signature levels ===== 
-==== Level 0 (generic certification) ==== 
-I will issue this type of signature for keys that represent a group or an organization. My signature on such a key indicates only that I am “pretty sure” that there is a correspondence between the key and the group. 
-==== Level 1 (persona certification) ==== 
-I do not use this type of signature. 
-==== Level 2 (casual certification) ==== 
-I will issue this type of signature for pseudonymous keys. In this case I have determined only that the same person controls the key and the e-mail addresses listed in the signed UIDs. No claim is made regarding the connection between the key and any real-life identity. 
-==== Level 3 (positive certification) ==== 
-I will issue this signature if I have personally met the keyholder and verified their identity according to the procedure below. 
-===== Signing procedure ===== 
-I will meet with another user in reasonable conditions and verify his or her identity against a government-issued photo ID. I will accept a passport from any country or a driver's license. The user must present me with a written record of the key fingerprint and list of the UIDs to be signed. 
-__Additionally, I will sign keys without checking any form of ID if people I trust personally confirm the person's "identity". This is especially true for keys with pseudonymous user IDs.__ In my opinion, the PGP web of trust is not meant to rely on or force government identification. I do support the notion of "multiple identities". I purposely do not distriminate between keys that I have signed using this policy or the one where I check government-issued ID. Note that my signature explicitly does not rely on a direct trust relation btween me and the keyholder, but on trust relations between people I trust and the keyholder (indirect trust). 
-I will send the signed key to the keyholder only; the keyholder can distribute these as he or she sees fit. My signature for each UID will be delivered to that UID only, so my signature on e.g. an e-mail address confirms that the key owner has access to that e-mail address. I will sign UIDs containing photos, XMPP addresses, etc. at my discretion. If the UIDs I signed contain contact information, each signature will be sent to the corresponding address, encrypted if possible. If some UIDs do not specify contact information, the signature for these UIDs will be sent to the address on one of the other signed UIDs. If none of the UIDs to be signed give contact information then the keyholder must specify during our meeting where the signatures should be sent. 
 Hash: SHA512 Hash: SHA512