pub rsa4096 2015-01-15 [SCA] 43D2891A7F42862AFBE6C76FA23EBCD587256EE1 uid [ultimate] Milo Noblet <milo[@]noblet.me.uk> uid [ultimate] Milo Noblet <me[@]milo.me.uk> uid [ultimate] Milo Noblet <me[@]milonoblet.co.uk> uid [ultimate] [jpeg image of size 2535] uid [ultimate] Milo Noblet <mabn1g17[@]soton.ac.uk>
This keysigning policy applies to the key 00xA23EBCD587256EE1 and associated subkeys, as displayed above.
Keysigning is the primary method of improving PGP’s Web of Trust. When we sign PGP keys, we are stating that we have a certain level of trust in the owner of the key. PGP does not have a central authority, unlike X.509 (SSL, S/MIME etc) which requires a Certificate Authority, and generally the more signatures that exist on a key, the more that key can be trusted. Ideally, there will be a path from your key to another via a network of signatures.
There are four levels of PGP key signature:
- 0: generic certification
- 1: persona certification
- 2: casual certification
- 3: positive certification
0: generic certification
I’m reasonably sure that the associated user ID is indeed linked with the key (eg I have successfully had an encrypted conversation using that key and UID)
1: persona certification
Another factor has ensured my confidence in the key, eg its fingerprint being tweeted from the confirmed account of the holder, it being on their business card/letterhead/SSL-encrypted website (in addition to the requirements for level 0)
2: casual certification
If I have seen matching photo ID* and the key’s fingerprint together in person, or I know the signee well enough to be confident of their identity when the fingerprint is given via video call.
3. positive certification
If I know the signee personally and have received their fingerprint via secure means.
If you have a query or would like me to sign your key, email me at the primary uid associated with the key above with key-signing in the subject line.