Key-Signing Policy

Date: 2006-07-16

Pre-requisites for Signing

The signee (the key holder who wishes to obtain a key from me, the signer) must make his/her OpenPGP public key available on a publicly accessible key server, such as the .pgp.net key servers., or on a publicly accessible web server for which the signee provides the URL.

The signee must prove his/her identity to me by way of a valid identity card or a valid driving license or passport. These documents must feature a photographic picture of the signee.

The signee should have prepared a piece of paper with the, printed or hand-written, output from:

gpg --fingerprint KEYID

(where KEYID is the ID of the key that is to be signed).

The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm pace, and so on).

The signee should be willing to cross-sign with me.

The Act of Signing

After having received (or exchanged) the proof detailed in the above, I will send one email to each of the mail addresses which are listed in the UIDs which I was asked to sign. These verification emails contain random strings, and will be signed by me and encrypted to the public key whose fingerprint is shown on the paper.

Upon reception of encrypted and signed replies, I will check the returned random string for equality with what I sent. The reply must be signed with the key that I was asked to certify, even if the challenge was encrypted to a different key.

UIDs which pass the above test will be signed. If one of the UIDs fails the test, a warning will be sent to one of the other mail addresses and the procedure will be halted until a satisfactory explanation has been received, or the procedure has been cancelled by the signee.

The signed key block will then be uploaded to a public key server and/or sent to the signee.

Levels of Signatures

Dependending on the character of the key which is to be signed by me, I will use different levels of signatures:

  • Level 3 (positive certification): A level of 3 is given to sign-and-encrypt keys which successfully pass all the checks: I have met the signee, I have verified his/her identity card and fingerprint, and the replies to the email challenges were correct. Photographic UIDs that are a true likeness of the signee will also be signed with a level of 3. These signatures are the strongest in my web of trust.

  • Level 2 (casual certification): A level of 2 is given to sign-only keys where email verification is not possible.

  • Level 1 (persona certification): A level of 1 will never be used by me.

  • Level 0 (generic certification): A level of 0 is given to keys of Certification Authorities. Usually the fingerprints of those keys have to be verified by gettnig them from the corresponding web site of the CA and can not be checked by exchange with a member of the CA who is in charge. These signatures or the weakest in my web of trust.

Links

  1. RFC 2440: OpenPGP Message Format
  2. pgp Key Signing Observations: Overlooked Social and Technical Considerations
  3. GnuPG Key Signing Policy of Marcus Frings
  4. GnuPG Key Signing Policy of Stephane Clodic
  5. OpenPGP Key Signing Policy of Marc Mutz (v2)
  6. OpenPGP Signing Policy of Stewart V. Wright
  7. Marc Haber's GPG Key Signing Policy
  8. PGP and OpenPGP Key Signing Policy of Thomas Bader v1.0
  9. Key Signing Policy for Sebastian Inacker
  10. GPG Key Signing Policy of Matt Brown
  11. OpenPGP Key Signing Policy of Stefan Schmidt
  12. HantsLUG Wiki: LinuxHints/KeySigning