Below is the policy I use when signing other people’s PGP keys.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 My OpenPGP Key-signing Policy ============================= This policy is valid for all signatures made by the following OpenPGP (RFC4880) keys: pub 4096R/EAE88849 2015-01-15 [expires: 2040-01-09] Key fingerprint = D87E 055F 5B13 8D65 18B0 20D0 EAF3 AF2D EAE8 8849 pub 4096R/E2F3F698 2015-01-15 [expires: 2040-01-09] Key fingerprint = 2243 111A 1871 2928 673E 5C11 6596 6773 E2F3 F698 The latest version of the above keys should be available from well connected keyservers, such as pool.sks-keyservers.net or keys.gnupg.net. You can also download these two public keys from http://mi0gjn.co.uk/public-keys.asc This policy shall be updated from time to time, I will try to keep a record of changes at the end of the document. Signature Levels - ---------------- * I will not answer (signature type 0x10) I don't make signatures with this level of trust. * I have not checked at all (signature type 0x11) I'm fairly convinced that the signee is who they say they are, or they are using a pseudonym that I believe they are permitted to use. I haven't carried out any further checking, and I have not seen any ID which matches the signee's UID, but I have no reason to believe that the signee is lying. * I have done casual checking (signature type 0x12) I have personally checked and verified at least one form of photo identification, which I believe to be issued by a government or similar entity. This is the highest level of signature I will use for strangers (those I do not have a professional or personal relationship with.) * I have done very careful checking (signature type 0x13) I have personally checked and verified at least one form of photo identification, which I am very familiar with (UK/Eire passports, UK driving license, or similar UK identification), and I have known the signee in a professional or personal capacity for at least one year. If I've known someone personally or professionally for more than one year, I may sign a level higher than the above policy, e.g. if a work friend asks me to sign their key, but don't want to show me ID, I may sign with level 0x12. Acceptable UIDs - --------------- I verify that every part of the name on the UID is backed by the provided ID documentation, however UIDs do not need to contain every name on the ID. If I'm familiar with a nickname on the UID, and this nickname corresponds to the 'full' name on the ID, I will sign the key, however I won't guarantee I know all nicknames, especially outside the english speaking world, so will only use signature type 0x11 if I'm unsure. I may sign picture UATs, but I tend not to do this when I'm participating in a keysigning party. For UIDs that have an email address, I encrypt the signature, and email to this email address. For UIDs with no email address, I will email the signature to all email addresses in the key. For entire keys that have no email address, I may either directly upload the signature to a keyserver, or if the signee can provide me with an email address, I will send the encrypted key to this email address. All keys that I sign must be available from a public keyserver (specifically keys.gnupg.net or pool.sks-keyservers.net). This acts as a kind of 'insurance', meaning I can revoke my signature if it transpires that there was foul-play in the process of signing. Changelog - --------- 2016-02-06 : Creation -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWtm8hAAoJEOrzry3q6IhJucIQAIweoTLM/CwOa6k7UokZZ9AK OUL88wwuKegGHhFw8y7oLh3s7jQS2tAmkywzV/1DlNRNEyRkms72qzomrVeNIe2b atopP6yW7xxYkU1aYHJjpg/RhMI3+ninOKYRbnK14zm+ZA9Nj6MUVZTLRE7kxprb IhSg3A9WpKVu3K6CwnlU7N9xjON5oVug6Q8NzWtpnlPWrg9k92lOZ8f+T5LEdZ/2 sDkIAoOYiHzT3qm2LysDw2xEyc7as9jnyenZltsFwR6juHDOMjtJj0t2+zeCQ9cM oKbZ02pImjk1sdoZXph0HyEFjWcXda3Sba5s/RvO4K1LquUDc4es4cQPxnewLqYt zIHoDabBcEVjybT0fPXiY18uakxdTF/tkkBNHE8kyBo+1RZ3R7QyIWzPZ/rNLjXU O32e9dUxcTa+yj1S0uPV5ajJPJVp94FSJFPp+WZHvqI7byCCKWQCV3Csi8OWFTvX WAv4d6bmMwa4M+aKBpVCDsqPeRbWeurbFg1wUiF2kp580do8h0usvqp6y+2ywY6z Ekl6DYa4DWowX4mybRnXur8/GD9ADItQH7fqgKCl0smAe0kwV1YXGB+RGOAqTB5I Zq80lwyP33emdxmaKKBN5QX8QFHCYO5Hfwcch4f9pH3Zf1X0i1kCxtJb+2gZ2OeE K8CvNZJI0/BSaZF2qDJO =5ZCp -----END PGP SIGNATURE-----