[Home]GPG/Policy


HomePage | GPG | RecentChanges | Preferences

This is my personal OpenPGP / GPG key-signing policy. You are welcome to use this policy as the basis for your own. I may alter or update this policy at any time and reserve the right not to adhere to it. I am under no obligation to sign or trust a key even if the criteria stated here are met. Variations are at my discretion and asking for a variation is likely to make me trust you less, not more.

Identification

I will accept the following forms of identification:
  1. A UK passport.
  2. A UK photographic driving licence.
  3. An overseas passport.
I will not accept other forms of identification, including:
  1. Overseas driving licence.
  2. A non-photographic UK driving licence.
I will inspect the identification to satisfy myself that it appears to be genuine, so far as I have the skills to determine that. I will also compare the photograph on the identification with the person presenting it. If I am satisfied that the identification is genuine and the person presenting it is the person depicted on it, we will continue.

Fingerprint

  1. You should present me with a printed copy of your GPG fingerprint, which includes your name as on your identification and at least one e-mail address.
  2. If you don't have spare printed copies and if I have the time, I may write down your fingerprint onto a piece of paper. However, this is inconvenient and not a preferred method.
  3. I will note on the fingerprint that I am satisfied that the name on the fingerprint matches that on your identification and that the face on the identification matches your face.
  4. I will also note the form of identification you have presented me with and date the slip for my reference.

Decryption test

  1. Later, I will download your public key from a public keyserver and verify the fingerprint against the slip you gave me.
  2. I will send you some random data encrypted with your public key. The random data will be generated using:
    dd if=/dev/random count=64 bs=1 | hexdump
  3. You should return this data decrypted and signed with your private key.
  4. I will check the validity of the signature and compare the decrypted random data with my copy of the data I originally sent you.
  5. If you use a separate subkey for signing than for decryption (e.g. using a smartcard), I must be able to verify that these keys are linked.
  6. If you do not want me to upload your signed key to a public keyserver, you should tell me at this point.

Signing

If the above procedures are completed successfully, I will sign your key declaring: Having signed your key I will upload it to a public keyserver unless you have specifically asked me not to do so.

Trust

I will set key trust according to the following criteria:

Response times

I will usually send you your encrypted challenge within two or three days of returning home after taking your fingerprint. I will usually sign your key within two or three days of receiving your successfully decrypted challenge. Please e-mail and remind me if I have not completed either stage after a week.

Revocation of my key

I will always give a reason for the revocation of my GPG key so far as is legally possible in the UK.

Signing my key

You are free to use whichever procedure you want to verify my identity and sign keys, including automated scripts if you wish. You may sign them at whichever level and assign whatever trust you want. You may e-mail me the signature or upload it directly to a public keyserver.


HomePage | GPG | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited February 26, 2007 2:19 pm by Tony (diff)
Search: