-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Key-Signing Policy for 0xD3524C51 ================================= 1. Pre-requisites for signing - ------------------------------ 1.1 I only sign keys when the holder can provide government-issued photographic ID in person by mutual appointment. The signee must also provide his/her key fingerprint, other properties and all user IDs that he/she wishes to have signed. 1.2 Exchange of materials must take place under reasonable circumstances, including exchanging key data at a calm pace. If rushed, I will refuse to sign the key until another, more suitable time. 1.3 The signee should make his/her public key available to key servers unless there is good reason not to. 1.4 On occasion, I may waive the requirement for photographic ID where I have a personal and long-standing relationship with the keyholder (for example, close members of family). In this situation, the identification material on the key must still match the holder. 1.5 To strengthen the Web of Trust, and assuming that I am happy with the key holder's signing procedures and care over his/her own key, I require a cross-signature from the target key unless there is good reason not to do so. 2. Key signing protocol - ------------------------ 2.1 I will not sign keys until I have returned home and checked the fingerprint and other material against that supplied by the key holder. Under no circumstances will I sign keys through any means not wholly under my control. 2.2 If I am satisafied that the key holder is genuine and that the key material is bona fide, I will sign it with an appropriate trust level. 2.3 For keys with encryption ability, the signature for each UID will be sent encrypted to the associated email address. This verifies both that the UID is genuine and can receive mail, and that the key holder is in control of the address. For sign-only keys, I will follow the same process without encryption. 2.4 I do not send signatures directly to key servers unless the holder responds to the challenge asking me to do so in an email signed by the key in question. 3. Signature levels - -------------------- Level 3: This level is issued to keys with an encryption ability only. It indicates that I have met the holder in person and exchanged suitable photographic ID, verified the key fingerprint and challenged the address associated with each UID. If they key includes photographic ID, it will also be signed where it can be verified. Level 2: This level is issued to sign-only keys. It indicates that I could not verify that the address associated with the key is available to the key holder, because encryption could not be used. Level 1: I do not use this level because I never sign keys without appropriate verification and will never do so. Level 0: This level is used for Certification Authorities because generally, the holder is an organisation and not a single person. I very rarely use this level. 4. Storage and protection of my own key - ---------------------------------------- 4.1 This key is stored solely on a machine entirely under my control and protected with a symmetric phrase that I change from time to time. It is a sign-only key with an encrypting subkey so that I can rotate it without loss of signatures. 4.2 A physical copy of this key and the revocation certificate is stored in a safe at a trusted, off-site location. I entirely trust the custodian of this copy. 4.3 From time to time, I may generate subkeys for a specific purpose (for example, during a software project). These subkeys have a limited life, are protected with a suitable symmetric phrase, and are revoked when they are no longer in use. 5. Contacting me to verify a signature - --------------------------------------- 5.1 I will happily verify a signature where there is good cause to do so (in other words, where the request is not frivolous or repeated). You may contact me in an encrypted message at debian!jwiltshire-org-uk, substituting anti-robot characters appropriately. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJKNR7QAAoJEFOUR53TUkxRDK4QAK3JFGM/1V6wa7Jwf+gOW06P mf4/Peia43ftJ7ZpFAUge4bCGfXjhGriPZruDCYt1R2O3Eahu0SPIIdjYtPjlKmk Lf6VmwAzTouQiXAtWjb9BFBTGomQlCXkFB13PfugDAmH0oChsbXk7rVYc2toQllz wOQZDUGm6j8ZvCQdAQTKZmjxwjaXaWB43zuhJisV7npfVoBc0CwBqlv86VV+/SH8 QkF59XCE4ma+4yah4Ig9HW1rXndHxKMfHRaIlvYjjWwWz29xitd3W5AkZVMHajjP x9k7HDvwr+fuLDWmzLBneiiYcAcUVsfqMPiEH8HGa2izcO167gHHiGT6Xz1MxoiA RJzf4jg4G+6QvPzbczVOUzGqnEk78IJgTNZUUM9uIfl83urWYZvH85ZsfpFBnbXQ kB+NTujajmd4+ibpUOePKypmVhdkt58dHMRa6iGbgfUUI9Dj8P23lUjfr8MdXYVQ Q7W4skg7PrfEUNK5z9DyW23PqXBfPZHLwM/nY3LiJsT2cmVic8fQtlHrCqzPfZnR 5Zw4jwu1mxvCF0xks7lWZ3yh/0EZh/ZjZUTK1xcCcEvoPs3SfeUtp3ykvqv118UH fCdjUghxJJN2bG7FuNE9IEsQvhpZ+Q1xuxZCW7ztoIOKVbjQt7iG6TJyTd3c0kyZ x4ovDsQ/fB6p+17ZNBVM =m4wX -----END PGP SIGNATURE-----