0.0 Preamble

Signing policy version: 1.0 (For changelog, see section 7.0)

This OpenPGP/GnuPG key signing policy is applicable to key signing done with the following OpenPGP/GnuPG key:

pub 4096R/A41978AD 2011-02-20 - Key fingerprint = 5B94 7AAC BF25 2AB0 4E3D 0C08 498B 9587 A419 78AD

This key can be found on cdk.com/pgp/dkaiser.cdk.com.pgp.publickey.0xA41978AD.asc, though the most up to date will be my public key on keyservers pgp.mit.edu and sks-keyservers.net.

This policy is to be found at cdk.com/pgp/keysigningpolicy.html.

0.1 Definitions

I, me, my: any references to 'I', 'me' or 'my' refer to David Kaiser.
keys: in this document, when not explicitly stated otherwise, key or keys refers to PGP/OpenPGP/GnuPG keys.
signee: the person requesting their key to be signed by me, David Kaiser, using my personal key A41978AD.

1.0 Key signing conditions

I only sign keys when I have personally met the person who claims to be the owner of said key. Thus, arranging a meet or attending a keysigning party where I'm present, is a requirement for the signee to get their key signed by me.

2.0 Signing levels

GnuPG supports four different signing levels. Below, all of the different levels are listed, and the requirements for the signee to obtain each level is provided.

• sig (0x10): the regular non-specified signature, used by me only for signing automated, non-personal keys, such as CAcert's GPG key.
• sig 1 (0x11): not currently used by me.
• sig 2 (0x12): 'I have done casual checking', so used for signing keys checked during keysigning parties, or in other massive and non-relaxed, non-quiet signing meet-ups. While a positive picture ID is required, careful checking was not possible.
• sig 3 (0x13): 'I have done careful checking', used by me for one-on-one keysigning, where multiple positive ID's are exchanged and checked for security features based on online indexes of such features.

2.1 Keysigning party modifiers

While keysigning parties are a great way to obtain a lot of signatures, the quality of the signature will be valued less by me. Usually the setting is not optimal, due to conditions being crowded, noisy and/or really busy and the sheer amount of people attending pressures everyone to quickly continue down the line.
Therefore, a sig 2 will be the highest signature given by me.

I will obtain your key from one of the major keyservers, verify names, email, fingerprint and sign accordingly. Any additional uid's that are non-email (and contain anything else than just the name of signee) and/or picture uid's will not be signed and sent.

2.2 Signing of photo uid's

Photo uid's will only be signed for signees I have known for over a year or signees who can provide at least three photo ID's (of which one is goverment issued) and meet the requirements of all photo ID's bearing a strong resemblance to both real life and photo uid.

For signing my Photo UID, the photo contained in my public key must match this photo.

The original source of the photo is This photo of me, taken by Andrew McMillan at LCA2011. Used under Creative Commons - Attribution 2.0 Generic - CC BY 2.0 license.

2.3 Signing of non-email uid's

Non-email uid's are not signed by me by default. However, there are some exceptions. First of all, just as with all email uid's, they have to be present on paper during the meeting. Second, if the uid consists of merely the full name, which is identical to the full name of one or more email uid's, I will sign. For things such as birth date and location, I will have to have verified those during the meeting. During a keysigning party there is hardly opportunity to do so, unfortunately, therefore, I will not sign non-email uid's which I were unable to verify during a keysigning party.

3.0 Meeting in person

Aside from meeting in person during a keysigning party, we can arrange a meeting for one on one mutual keysigning. If you like, I can also assure you for CAcert purposes.

3.1 One on one meetings

When meeting one on one, you will want to bring the following:

• - A piece of paper with the output of gpg --fingerprint
• - At least one government issued ID, valid, with a photograph if possible
• - Any additional ID's, cards or documents to further verify your identity
   -- all with photos if seeking signing of photo uid
• - Enough time to attend the meeting without any rush (approx 10-15 minutes)

3.2 Reciprocation

It is typically expected that for a key to be signed by me, that my key be signed in return, but there are exception cases, if I do not have appropriate photo ID documentation, for example. I will typically ask for a reciprocal key signing.

4.0 Signing procedure

After meeting in person, I will sign the key which was verified during said meeting, when home. The signing will be done using PIUS, which extracts the key from one of the major keyservers. Therefore, you will want to make sure that the key is present on keyservers and is up to date.

After signing, PIUS will email your signed public key to each of the uid's encrypted, if possible. Photo uid's and non-email uid's, if signed, will be attached to each email as well.

I reserve the right to not sign a key at my own discretion.

5.0 Transition

I have recently switched to a key of greater strength, and am retiring my original 1024 DSA key. I plan on notifying signers that have signed my old key when I retire and revoke it.

Read my Key Transition Statement which has also been sent to signers of my old key.

6.0 External links

The following sites have more info on my PGP key:

PGP key pathfinder & statistics (pgp.cs.uu.nl)

My key at hkp pgp.mit.edu
My key at hkp sks-keyservers.net

6.1 Reference Websites

The following sites have been useful reference for my transition to a stronger key:

Apache long key transition guide
Strong Keys, by Bdale Garbee
Ana's blog , Creating a new GPG key (linked in Bdale's blog post)
HOWTO prep for migration off of SHA-1 in OpenPGP (from a comment in Ana's blog post)

The following sites have been useful reference for various/advanced GnuPG/PGP concepts:
PGP Signing A Web Page
Peter Manis blog on using PIUS

7.0 Changelog

21 February 2011 - Version 1.0, first version, all major sections present
22 February 2011 - Version 1.1, second edit, added photo ID, reciprocation and the document is now PGP signed.

8.0 Copyright and licensing

This keysigning policy is copyrighted by David Kaiser, 2011.

Structure and contents may be used under the conditions of the Creative Commons Attribution-Noncommercial-Share Alike 3.0 license.

Inspiration for this policy has been drawn from the following:
ewald.tienkamp.info - keysigning policy and portions have been used by permission of Creative Commons license listed in that page

Supplement: attended keysigning parties

I have attended the following parties:

26 February 2011, SCALE 9x 2011 PGP keysigning.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJNZHoXAAoJEEmLlYekGXitWQ8QAJJqTnaQFYirZDbQbTA3zEig
Pdo2XCP0NhH/vgy5gOzVwwoVSEgUx2BHEtielLuRuZyajMUlaJBRRaXC+WaWC0BC
0x7iXVhnBLBKHkGIjNTJHzoKdbDkB6/i6gXcpU19hk1rBxH6uyekazSOQQWzgZaG
wSK+yBg9Yg6SFROYGW4K9GA9gu7qjlKcD9A3J+cn00u21/yVeStE+cOHKDqe8Imf
AkyaglTYmxrbek6yqSEeAIm6nLiVePztx5+swOafiY6GRntnlU/7o+wspHrPgCNO
8YTUnOp1yiZXGj7Na7bCUG6YcjaVqzZ9aZhZiAiLiBTyImrkQS9Q/j3rzg1Tz78T
vkUo4roJb0dqGt9+Qh5HIMEYyOOGcgmVl7rWTsslxyfkN6WGbU8gdRtW/KS38A7Y
BQjVJKM0MvyDw1U19X50qt9EMIF6ZLTPGOvX1LoKlMqsXwyri6BV5ScoErq7Vip6
WBscSfvHa0nQW1XTv7gp9MVf45SQwngzHynjc/RiaBwN1QbgjuY9Dh24EqUy2+om
j1VqE6ZEstOMJM7nYqM1R9lk0KI0SYfWXwalFQuaQOc7E0PC/wzH3ekY5e8J3Ir3
hUjP7aA1MEFFG3zyA7Ze1JN3DmXqEUREPJPFhHvZCFIWDrCrkaBtYrIaN/PicV5E
wfORZrf8gw1pE11YTxVM
=x0AL
-----END PGP SIGNATURE-----