Navigation

• About
• Blog
• Contact
• OpenPGP
• Projects

---

• 
• 
• 
• Bytemark

Introduction

GNU Privacy Guard, also known as GnuPG or GPG, is a complete and free implementation of the OpenPGP Message Format. OpenPGP, originally derived from PGP, provides methods of encrypting data, and perhaps more useful to many people, create digital signatures to help ensure integrity of data. By digitally signing my communications, I give both me and the recipients a level of assurance that:

1. The message was signed with my private key (presumably by me); and
2. The message has not been altered.

When communicating with me, please consider using OpenPGP to sign your messages.

Public Key

To verify messages signed by me, or to encrypt messages for me, you may use the following public key:

pub   1024D/2FD7108A 2006-07-16
      Key fingerprint = 2FD8 E541 5672 13B3 F33F  8B53 8FAF FA95 2FD7 108A
uid                  Simon Edward Ward <simon@bleah.co.uk>
uid                  Simon Edward Ward <simon@mivok.net>
uid                  Simon Edward Ward (Instant Messaging) <s_wardman@mivok.net>
uid                  [jpeg image of size 13697]
uid                  Simon Edward Ward (Free Software Foundation) <sward@member.fsf.org>
sub   2048g/02E73F4F 2006-07-16

You can fetch my key from a key server such as the .pgp.net key servers, or download my public key from this site.

Please note: My previous key, B8506E2C, has been revoked.

Key-Signing Policy

Date: 2006-07-16

Pre-requisites for Signing

The signee (the key holder who wishes to obtain a key from me, the signer) must make his/her OpenPGP public key available on a publicly accessible key server, such as the .pgp.net key servers., or on a publicly accessible web server for which the signee provides the URL.

The signee must prove his/her identity to me by way of a valid identity card or a valid driving license or passport. These documents must feature a photographic picture of the signee.

The signee should have prepared a piece of paper with the, printed or hand-written, output from:

gpg --fingerprint KEYID

(where KEYID is the ID of the key that is to be signed).

The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm pace, and so on).

The signee should be willing to cross-sign with me.

The Act of Signing

After having received (or exchanged) the proof detailed in the above, I will send one email to each of the mail addresses which are listed in the UIDs which I was asked to sign. These verification emails contain random strings, and will be signed by me and encrypted to the public key whose fingerprint is shown on the paper.

Upon reception of encrypted and signed replies, I will check the returned random string for equality with what I sent. The reply must be signed with the key that I was asked to certify, even if the challenge was encrypted to a different key.

UIDs which pass the above test will be signed. If one of the UIDs fails the test, a warning will be sent to one of the other mail addresses and the procedure will be halted until a satisfactory explanation has been received, or the procedure has been cancelled by the signee.

The signed key block will then be uploaded to a public key server and/or sent to the signee.

Levels of Signatures

Dependending on the character of the key which is to be signed by me, I will use different levels of signatures:

• Level 3 (positive certification): A level of 3 is given to sign-and-encrypt keys which successfully pass all the checks: I have met the signee, I have verified his/her identity card and fingerprint, and the replies to the email challenges were correct. Photographic UIDs that are a true likeness of the signee will also be signed with a level of 3. These signatures are the strongest in my web of trust.

• Level 2 (casual certification): A level of 2 is given to sign-only keys where email verification is not possible.

• Level 1 (persona certification): A level of 1 will never be used by me.

• Level 0 (generic certification): A level of 0 is given to keys of Certification Authorities. Usually the fingerprints of those keys have to be verified by gettnig them from the corresponding web site of the CA and can not be checked by exchange with a member of the CA who is in charge. These signatures or the weakest in my web of trust.

Links

1. RFC 2440: OpenPGP Message Format
2. pgp Key Signing Observations: Overlooked Social and Technical Considerations
3. GnuPG Key Signing Policy of Marcus Frings
4. GnuPG Key Signing Policy of Stephane Clodic
5. OpenPGP Key Signing Policy of Marc Mutz (v2)
6. OpenPGP Signing Policy of Stewart V. Wright
7. Marc Haber's GPG Key Signing Policy
8. PGP and OpenPGP Key Signing Policy of Thomas Bader v1.0
9. Key Signing Policy for Sebastian Inacker
10. GPG Key Signing Policy of Matt Brown
11. OpenPGP Key Signing Policy of Stefan Schmidt
12. HantsLUG Wiki: LinuxHints/KeySigning