PGP Keysigning Policy

Below is the policy I use when signing other people’s PGP keys.

Hash: SHA512

My OpenPGP Key-signing Policy

This policy is valid for all signatures made by the following OpenPGP (RFC4880) keys:

pub   4096R/EAE88849 2015-01-15 [expires: 2040-01-09]
      Key fingerprint = D87E 055F 5B13 8D65 18B0  20D0 EAF3 AF2D EAE8 8849
pub   4096R/E2F3F698 2015-01-15 [expires: 2040-01-09]
      Key fingerprint = 2243 111A 1871 2928 673E  5C11 6596 6773 E2F3 F698

The latest version of the above keys should be available from well connected keyservers, such as or  You can also download these two public keys from

This policy shall be updated from time to time, I will try to keep a record of changes at the end of the document.

Signature Levels
- ----------------
* I will not answer (signature type 0x10)
  I don't make signatures with this level of trust.

* I have not checked at all (signature type 0x11)
  I'm fairly convinced that the signee is who they say they are, or they are using a pseudonym that I believe they are permitted to use.  I haven't carried out any further checking, and I have not seen any ID which matches the signee's UID, but I have no reason to believe that the signee is lying.

* I have done casual checking (signature type 0x12)
  I have personally checked and verified at least one form of photo identification, which I believe to be issued by a government or similar entity.  This is the highest level of signature I will use for strangers (those I do not have a professional or personal relationship with.)
* I have done very careful checking (signature type 0x13)
  I have personally checked and verified at least one form of photo identification, which I am very familiar with (UK/Eire passports, UK driving license, or similar UK identification), and I have known the signee in a professional or personal capacity for at least one year.
If I've known someone personally or professionally for more than one year, I may sign a level higher than the above policy, e.g. if a work friend asks me to sign their key, but don't want to show me ID, I may sign with level 0x12.

Acceptable UIDs
- ---------------
I verify that every part of the name on the UID is backed by the provided ID documentation, however UIDs do not need to contain every name on the ID.  If I'm familiar with a nickname on the UID, and this nickname corresponds to the 'full' name on the ID, I will sign the key, however I won't guarantee I know all nicknames, especially outside the english speaking world, so will only use signature type 0x11 if I'm unsure.

I may sign picture UATs, but I tend not to do this when I'm participating in a keysigning party.

For UIDs that have an email address, I encrypt the signature, and email to this email address.  For UIDs with no email address, I will email the signature to all email addresses in the key.

For entire keys that have no email address, I may either directly upload the signature to a keyserver, or if the signee can provide me with an email address, I will send the encrypted key to this email address.

All keys that I sign must be available from a public keyserver (specifically or  This acts as a kind of 'insurance', meaning I can revoke my signature if it transpires that there was foul-play in the process of signing.

- ---------
2016-02-06  :   Creation

Version: GnuPG v2