Since April 2012 I have held the position of Chairman of The Software Society Ltd. On the 23th of March this year, 2013, it was decided that the board of directors and office bares (Chairman, Company Secretary and Chief Financial Officer) should all create an use OpenPGP keys for all official business.
It was also decided that each office barers key should last as long as they are in office, the new incombant creating a new key apon their election.
To this end, during my time in the post my key will be 0x6415679569aa4946 and will be subject to the same signing policy as I has been in use on my personal key. This is detailed bellow.
This policy is valid for all signatures made by the following GnuPG keys:
pub 4096R/A7EEB609 2011-06-25 Primary OpenPGP Key Key fingerprint: 299B 6F75 C137 950F 031F 5DFA D406 5F5E A7EE B609 pub 4096R/B784045B 2011-09-19 Secondary OpenPGP Key Key fingerprint = 2642 7F79 DA14 44C4 CBE9 23BB 22C7 2B37 B784 045B pub 2048R/69AA4946 2013-03-24 Software Society (Chairman) OpenPGP Key Key fingerprint = CFAE 70BC 1735 BF50 C993 DACB 6415 6795 69AA 4946
This policy was first written on 2011-06-22 but the policys listed here have been followed since the creation of the key four days earlyer on the 18th. Content and structure of this document are strongly based on the OpenPGP Key Signing Policy of Marc Mutz and Jörgen Cederlöf but have been slightly modified from the original sources.
I live in Dundee (Scotland) and am available to sign keys any time. If you want to arrange for a key-signing, your best chance of meeting me is in or near Dundee. Occasionally I'm in St.Andrews, Cupar and Perth. I can be reached thru the /feedback form on this site, Just be sure to include the phrase 'key-signing' in the subject line. I am also listed at biglumber.com, a webpage about key signing coordination. Meetings at computer related fairs are possible as well.
Usually I keep track of upcoming events where it would be possible to meet in order to sign keys at /about/me/events
The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (see above for example keyservers).
For people from outside the European Union I will check both of these two tokens (since I cannot assess their risk of fraud). Exceptions may be made if there is a good reason for me to do so.
The signee should have prepared a strip of paper with a printout of the output
gpg --fingerprint 0x12345678
(or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed.
A handwritten piece of paper featuring the fingerprint and all UIDs the signee wants me to sign will also be accepted.
The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on).
After having received sufficient proof of identity I will sign the signee's piece of paper myself to avoid fraud, and eventually sign the signee's key.
The signed keyblock will then be mailed to the signee, or uploaded to a keyserver if expressly wished.
Key signing is performed on the understanding that the act of signing is mutual. If the signee fails to sign my key in return I reserve the right to revoke my signature from their key.
I have been asked what my position is towards requests from people (whose keys I had already signed) to also sign their new keys.
In principle, I agree to the procedure when I am reasonably sure the request is not bogus/a scam, and the following conditions are met:
Any signing request of transition to a new key
However, such a signing request may be declined without giving reasons. If unsure, enquire first.
A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.
If I have had contact with someone through signed or encrypted e-mail over a time long enough to rule out at least temporary man-in-the-middle attacks, and I have verified the key with a key downloaded from his/her personal web page, or signed emails/fingerprints on public mailing lists, but I have not met the person or verified the key in any other way, I may sign the key with cert check level one.
A level of 2 is given to sign-only keys. It is not clear to determine if the owner of the mail account is the same as the key owner because encryption cannot be used, hence the signatures only receive a lower level of 2.
A level of 3 is given to sign-and-encrypt keys: I have met the signee in person, I have verified his identity card (passport, or driving licence) and his key's fingerprint. I was also able to send my signatures encrypted with the corresponding key of the signee. These signatures are the strongest in my web of trust.
Photographic UIDs are also going to be signed with a level of 3 if I can still remember the signee's face when I will be back at home.
I will also sign keys at level 3 when I know the signee personally, I do not require ID card or the above formal procedure. A meeting where we exchange fingerprings is enough. Naturally, it would be extremely hard to trick me into signing a false key this way.
Find out what's happening, right now, with the people and organizations you care about.