PGP keysigning policy

The PGP/OpenPGP/GnuPG keysigning policy of David Kaiser
This page, located at: http://dkaiser.org/pgp/keysigningpolicy.html is pgp signed.
To verify the authenticity of this page, run the following commands (gnupg version):
gpg --recv-keys 5B947AACBF252AB04E3D0C08498B9587A41978AD;
  wget -q -O- http://dkaiser.org/pgp/keysigningpolicy.html | gpg --verify -


0.0 Preamble

Signing policy version: 1.0 (For changelog, see section 7.0)

This OpenPGP/GnuPG key signing policy is applicable to key signing done with the following OpenPGP/GnuPG key:

pub 4096R/A41978AD     5B94 7AAC BF25 2AB0 4E3D 0C08 498B 9587 A419 78AD
created: 2011-02-20

This key can be found on dkaiser.org/pgp/dkaiser.dkaiser.org.pgp.publickey.0xA41978AD.asc, though the most up to date will be my public key on keyservers pgp.mit.edu and sks-keyservers.net.

This policy is to be found at dkaiser.org/pgp/keysigningpolicy.html.

0.1 Definitions

I, me, my: any references to 'I', 'me' or 'my' refer to David Kaiser.
keys: in this document, when not explicitly stated otherwise, key or keys refers to PGP/OpenPGP/GnuPG keys.
signee: the person requesting their key to be signed by me, David Kaiser, using my personal key A41978AD.

1.0 Key signing conditions

I only sign keys when I have personally met the person who claims to be the owner of said key. Thus, arranging a meet or attending a keysigning party where I'm present, is a requirement for the signee to get their key signed by me.

2.0 Signing levels

GnuPG supports four different signing levels. Below, all of the different levels are listed, and the requirements for the signee to obtain each level is provided.

2.1 Keysigning party modifiers

While keysigning parties are a great way to obtain a lot of signatures, the quality of the signature will be valued less by me. Usually the setting is not optimal, due to conditions being crowded, noisy and/or really busy and the sheer amount of people attending pressures everyone to quickly continue down the line.
Therefore, a sig 2 will be the highest signature given by me.

I will obtain your key from one of the major keyservers, verify names, email, fingerprint and sign accordingly. Any additional uid's that are non-email (and contain anything else than just the name of signee) and/or picture uid's will not be signed and sent.

2.2 Signing of photo uid's

Photo uid's will only be signed for signees I have known for over a year or signees who can provide at least three photo ID's (of which one is goverment issued) and meet the requirements of all photo ID's bearing a strong resemblance to both real life and photo uid.

For signing my Photo UID, the photo contained in my public key must match this photo.
David Kaiser PGP Photo UID
The original source of the photo was taken by Andrew McMillan at LCA2011. Used under Creative Commons - Attribution 2.0 Generic - CC BY 2.0 license.

2.3 Signing of non-email uid's

Non-email uid's are not signed by me by default. However, there are some exceptions. First of all, just as with all email uid's, they have to be present on paper during the meeting. Second, if the uid consists of merely the full name, which is identical to the full name of one or more email uid's, I will sign. For things such as birth date and location, I will have to have verified those during the meeting. During a keysigning party there is hardly opportunity to do so, unfortunately, therefore, I will not sign non-email uid's which I were unable to verify during a keysigning party.

3.0 Meeting in person

Aside from meeting in person during a keysigning party, we can arrange a meeting for one on one mutual keysigning. If you like, I can also assure you for CAcert purposes.

3.1 One on one meetings

When meeting one on one, you will want to bring the following:

3.2 Reciprocation

It is typically expected that for a key to be signed by me, that my key be signed in return, but there are exception cases, if I do not have appropriate photo ID documentation, for example. I will typically ask for a reciprocal key signing.

4.0 Signing procedure

After meeting in person, I will sign the key which was verified during said meeting, when home. The signing will be done using PIUS, which extracts the key from one of the major keyservers. Therefore, you will want to make sure that the key is present on keyservers and is up to date.

After signing, PIUS will email your signed public key to each of the uid's encrypted, if possible. Photo uid's and non-email uid's, if signed, will be attached to each email as well.

I reserve the right to not sign a key at my own discretion.

5.0 Transition

I have recently switched to a key of greater strength, and am retiring my original 1024 DSA key. I plan on notifying signers that have signed my old key when I retire and revoke it.

Read my Key Transition Statement which has also been sent to signers of my old key.

6.1 Reference Websites

The following sites have been useful reference for my transition to a stronger key:

Apache long key transition guide
Strong Keys, by Bdale Garbee
Ana's blog , Creating a new GPG key (linked in Bdale's blog post)
HOWTO prep for migration off of SHA-1 in OpenPGP (from a comment in Ana's blog post)

The following sites have been useful reference for various/advanced GnuPG/PGP concepts:
PGP Signing A Web Page
Peter Manis blog on using PIUS

7.0 Changelog

21 February 2011 - Version 1.0, first version, all major sections present
22 February 2011 - Version 1.1, second edit, added photo ID, reciprocation and the document is now PGP signed.
27 February 2013 - Version 1.2, added additional keysigning parties SCALE 10x & 11x
21 February 2015 - Version 1.3, changed domain to dkaiser.org; added SCALE 13x keysigning party; use full fingerprint in HTTP links

Supplement: attended keysigning parties

I have attended the following parties:

26 February 2011, SCALE 9x 2011 PGP keysigning.

21 February 2012, SCALE 10x 2012 PGP Keysigning Party.

23 February 2013, SCALE 11x 2013 PGP Key Signing Party.

21 February 2015, SCALE 13x 2015 PGP Key Signing Party.
Software used making this website: GnuPG v1.4.11, Ubuntu Linux, Mozilla Firefox, VIM, GIMP.
This page, located at: http://dkaiser.org/pgp/keysigningpolicy.html is pgp signed.
To verify the authenticity of this page, run the following commands (gnupg version):
gpg --recv-keys 5B947AACBF252AB04E3D0C08498B9587A41978AD;
  wget -q -O- http://dkaiser.org/pgp/keysigningpolicy.html | gpg --verify -

Valid XHTML 1.0 Strict This page is valid XHTML 1.0 Strict

Valid CSS! This page uses a valid CSS version 3

Version: GnuPG v1.4.12 (GNU/Linux)