-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is the Key Signing policy for my OpenPGP key with the fingerprint 8116 EA60 4039 1437 E28A CCA8 A0B3 1F88 E812 3356 There are generally three types of identity asserted by the uids associated with a key: photo, name and e-mail address. I use different means of verifying these three types of identity. Where more than one type of identity is asserted in a single uid(as is common for name and email address) I will sign at the highest level met by all identities claimed by the uid. Strict Verification(sig3) ========================= Name - ---- EITHER I have known you for at least ten years. OR You present some government issued photo id in whose provenance I am confident. In this latter case: i)The photo in the photo id appears to be the person claiming the key. ii)The name in the photo id matches the name on the uid. I will accept minor variations depending on my familiarity with normal variations and short forms in the language/culture from which the name appears to derive. I will not sign names which consist of a single name plus initials. Email - ----- The key in question must have a valid encryption key. I will sign the key and send it encrypted with itself to the email address in question. I will keep the key with the signed uid separate from my normal keyring (usually by means of a tool like caff or monkeysign) to prevent confusion. Photo - ----- I will compare a copy of the photo embedded in the uid to the actual person and sign if I believe they are the same person. This will normally require prior arrangement. Casual Verification(sig2) ========================= Name - ---- As with Strong Verification but I will sign single name plus initials if I believe this to be a reasonable representation of the name on the photo ID. Email - ----- Where no encryption key is available I will send a challenge to the e-mail address in question and if it is returned to me signed with an appropriate signing key I will sign the key and send it to the e-mail address in question. Photo - ----- I will take a photo of the individual in question (with their consent) and later compare it to the photo associated with the key. If I am satisfied they are photos of the same person I will sign the key. No Verification(sig1) ===================== I will not use this level. Generic Certification(sig) ========================== I will use this level where the requirements for Full or Casual certification have not been met but I am reasonably confident of the identity claimed. Past example include using an id card issued by my employer to verify identity or signing keys associated with a particular role rather than a person. Trust Signatures ================ I may issue these in combination with generic certification when: i)They are restricted to a particular domain name. ii)I am confident that the person requesting the signature either is or represents the owner of the domain name. iii)There is some evidence that the depth and level of trust are necessary and appropriate. Revocation ========== Where I have made an error or I believe circumstances have changed such that the identities asserted by a uid I have signed are no longer true I will revoke the signatures and upload the revocations to the appropriate key servers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJTIb20AAoJEKCzH4joEjNW+ZEQAKBPxI/67Ssu7S7uPRuDG721 EBBIkITHFNo0w4gw5TaSkUJsGgMZqi9WSmvRoSL8GAhihxwfYdKLW1Rqe+61vHWi g9CgqnbzFua8j44BkZgTLrSSO9MHOYMxnJZ/sr9uBLDJ4e0Y/k1q5FJggMmJsIw3 Ks7nONm32vMVARc10XjZ+/Gezuvms4AZierTmeaMdGoDZk9GmAznqe79TyPqpf3l PAZlsUfKXfCLvu3htgd3wcmj6AII4et6dDUC4neou8HPmOMEEqzw/eT09Gpz3nfi BavUb6ld/FxPmWTut2l6IO3DorfIvoghm74Ep0M5ylAeZvROkvIHMdBjPhdmOaMt avVka1lOscaFij6DLMH86uNla2Sv08PqZqxLaV7uQxLxjiTbRu2hZL7PPjIM81Fu zzHxXrm/bqb9KdJL4qxM6UP45sOoFhLFeypIYztGSGJ55CrulU6gbjXE49a/my9O 0BI+dHaTZu9IzdIrtghEhkQaNFxA944kK+BXGx4G8vxCVxqCsEeBOavGyk9CInu4 4KOyZPqOnHI7qQ+jWYBGLhvcQYorHXKGxZRlkbq89q2U98NSMY/akNCcufeVTLtY +8HtL2xuGf+J9tbAzjpDsyyEW/KZVn3RuHB/Jb/O2yL6RvcxANLvuKRnS/eYzIjh 52loaFfjrTTH+UzQFYZc =mVX0 -----END PGP SIGNATURE-----