PGP Key Signing Policy

There are already a number of tutorials out there on how to sign other people’s PGP keys, as well as many recommendations on when you should. My own policies are pretty similar to those, but I’m documenting them here so they’re official. You can base your own policies of this if you want, or you can use this to decide how much to trust my keys.

(3) I have done very careful checking.

Myself

I’ll probably give any of my own keys a level 3 signature, since I know those are mine.

People I know personally

If I know someone well, I may sign their key at level 3 after verifying their fingerprint in person with no additional verification of their identity. I will then email them the signed key at the address listed on the key, encrypted by that key to ensure that they control both the email address and private associated key.

Other people

If I don’t know someone well, I’ll follow the above steps, except that I require some form of photo ID from a major, reputable organization such as a government, university, or well-known company.

(2) I have done casual checking.

Signed by a well-trusted key

If a key has been signed by another key that I trust enough to have signed it at level three, I may sign it at level two after confirming the fingerprint through another platform which is either live, such as a call or video conference, or end-to-end encrypted without using PGP, such as Signal. As usual, I will email the signed key to their identity’s email encrypted.

Unsigned

When in-person verification is impossible, I may sign someone’s key at level two after confirming their fingerprint through at least two channels of communication, at least one of which is end-to-end encrypted, either by a previously trusted PGP key or by something other than PGP, such as Signal, one of which is live video, and one of which is publicly advertised. Additionally, I’d require a picture (at an angle and/or with a shadow cast over it) of a reputable photo ID, although this may have information other than the name and photo obscured. I will then send it in the same manner as elsewhere.

(1) I have not checked at all.

Signed by a well-trusted key

After confirming the fingerprint over at least one medium other than the email listed in the key, I may sign it at level one and send it via the usual means.

Unsigned

I may, although very rarely, sign a key at level one based on a consistent pattern of the key’s correctness. It will still be sent via the my normal method.

(0) I will not answer.

I will never use this. If you see a key signed by me at level 0, you should disregard the signature.