PGP keysigning policy

pub   rsa4096 2015-01-15 [SCA] 
uid           [ultimate] Milo Noblet <milo[@]>
uid           [ultimate] Milo Noblet <me[@]>
uid           [ultimate] Milo Noblet <me[@]>
uid           [ultimate] [jpeg image of size 2535]
uid           [ultimate] Milo Noblet <mabn1g17[@]>

This keysigning policy applies to the key 00xA23EBCD587256EE1 and associated subkeys, as displayed above.

Keysigning is the primary method of improving PGP’s Web of Trust. When we sign PGP keys, we are stating that we have a certain level of trust in the owner of the key. PGP does not have a central authority, unlike X.509 (SSL, S/MIME etc) which requires a Certificate Authority, and generally the more signatures that exist on a key, the more that key can be trusted. Ideally, there will be a path from your key to another via a network of signatures.

There are four levels of PGP key signature:

  • 0: generic certification
  • 1: persona certification
  • 2: casual certification
  • 3: positive certification

0: generic certification

I’m reasonably sure that the associated user ID is indeed linked with the key (eg I have successfully had an encrypted conversation using that key and UID)

1: persona certification

Another factor has ensured my confidence in the key, eg its fingerprint being tweeted from the confirmed account of the holder, it being on their business card/letterhead/SSL-encrypted website (in addition to the requirements for level 0)

2: casual certification

If I have seen matching photo ID* and the key’s fingerprint together in person, or I know the signee well enough to be confident of their identity when the fingerprint is given via video call.

3. positive certification

If I know the signee personally and have received their fingerprint via secure means.

Key signing

If you have a query or would like me to sign your key, email me at the primary uid associated with the key above with key-signing in the subject line.