OpenPGP: Key Signing Policy
Since April 2012 I have held the position of Chairman of The Software Society Ltd. On the 23th of March this year, 2013, it was decided that the board of directors and office bares (Chairman, Company Secretary and Chief Financial Officer) should all create an use OpenPGP keys for all official business.

It was also decided that each office barers key should last as long as they are in office, the new incombant creating a new key apon their election.To this end, during my time in the post my key will be 0x6415679569aa4946 and will be subject to the same signing policy as I has been in use on my personal key. This is detailed bellow.

Preamble

This policy is valid for all signatures made by the following GnuPG keys:

The most recent version of these keys are available from the key server at sks.research.nxfifteen.me.uk or for download from My GPG Page

This policy was first written on 2011-06-22 but the polices listed here have been followed since the creation of the key four days earlier on the 18th. Content and structure of this document are strongly based on the OpenPGP Key Signing Policy of Marc Mutz (Link no longer available) and Jörgen Cederlöf (Link no longer available) but have been slightly modified from the original sources.

Location

I live in Dundee (Scotland) and am available to sign keys any time. If you want to arrange for a key-signing, your best chance of meeting me is in or near Dundee. Occasionally I’m in St.Andrews, Cupar and Perth. I can be reached thru the/feedback form on this site, Just be sure to include the phrase ‘key-signing’ in the subject line. I am also listed at biglumber.com, a webpage about key signing coordination. Meetings at computer related fairs are possible as well.

Usually I keep track of upcoming events where it would be possible. So if you would like to meet in order to sign keys check my events diary to find out where I will be.

Prerequisites for signing

The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (see above for example keyservers).

The signee must prove his/her identity to me by way of a valid identity card or a valid driving licence. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee’s key must feature his/her real name in order to be checked up on his/her identity card. A key which only contains a pseudonym will not be signed.

For people from outside the European Union I will check both of these two tokens (since I cannot assess their risk of fraud). Exceptions may be made if there is a good reason for me to do so.

The signee should have prepared a strip of paper with a printout of the output gpg --fingerprint 0x12345678 (or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed.

A handwritten piece of paper featuring the fingerprint and all UIDs the signee wants me to sign will also be accepted.

The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on).

The act of signing

After having received sufficient proof of identity I will sign the signee’s piece of paper myself to avoid fraud, and eventually sign the signee’s key.

The signed keyblock will then be mailed to the signee, or uploaded to a keyserver if expressly wished.

Key signing is performed on the understanding that the act of signing is mutual. If the signee fails to sign my key in return I reserve the right to revoke my signature from their key.

Signing requests of transitions to new keys

I have been asked what my position is towards requests from people (whose keys I had already signed) to also sign their new keys.

In principle, I agree to the procedure when I am reasonably sure the request is not bogus/a scam, and the following conditions are met:

Any signing request of transition to a new key

  • must at least be signed by the still valid original key (which I also signed),
  • the new key must also be signed by the still valid original key (which I also signed),
  • the owner of the new key must cross-sign my keys in return with the new key first,
  • the new key will receive the same level of signature as the still valid original key (which I also signed).

However, such a signing request may be declined without giving reasons. If unsure, enquire first.

Levels of signatures

Level 0

A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.

Level 1

If I have had contact with someone through signed or encrypted e-mail over a time long enough to rule out at least temporary man-in-the-middle attacks, and I have verified the key with a key downloaded from his/her personal web page, or signed emails/fingerprints on public mailing lists, but I have not met the person or verified the key in any other way, I may sign the key with cert check level one.

Level 2

A level of 2 is given to sign-only keys. It is not clear to determine if the owner of the mail account is the same as the key owner because encryption cannot be used, hence the signatures only receive a lower level of 2.

Level 3

A level of 3 is given to sign-and-encrypt keys: I have met the signee in person, I have verified his identity card (passport, or driving licence) and his key’s fingerprint. I was also able to send my signatures encrypted with the corresponding key of the signee. These signatures are the strongest in my web of trust.

Photographic UIDs are also going to be signed with a level of 3 if I can still remember the signee’s face when I will be back at home.

I will also sign keys at level 3 when I know the signee personally, I do not require ID card or the above formal procedure. A meeting where we exchange fingerprings is enough. Naturally, it would be extremely hard to trick me into signing a false key this way.

Here are some links which you may find useful or interesting: Key signing policies of other people:

Change Log

  • Version 1.0.5.0, 2014-12-14 – Content migrated to new markdown site
  • Version 1.0.4.0, 2013-09-21 – Applied this policy to my smartcard key
  • Version 1.0.3.0, 2013-03-25 – Applied this policy to my second key
  • Version 1.0.2.0, 2013-03-22 – Removed dead URL from links
  • Version 1.0.1.0, 2012-01-19 – Content Recovered from Google Cache
  • Version 1.0.0.0, 2011-11-30 – Initial Release.

About the Author

Stuart McCulloch Anderson
For over a decade and a half Stuart has been in love with all things science fiction or technology and for almost fourteen of those years his operating system of choice has been one breed of Linux or another and despite some brief trips back into the world of Windows Stuart has never found him self wanting anything else.