There is an updated policy available here.
This page describes the key signing policy for the following GPG key:
pub 2048D/0x416C5A0DD9FA2EE5 2014-04-06 Key fingerprint = 7818 9E24 005B 0933 0CF6 2536 416C 5A0D D9FA 2EE5 uid [ultimate] Jesper Hess Nielsen (Graffen) <email@example.com> uid [ultimate] Jesper Hess Nielsen (Graffen) <firstname.lastname@example.org> uid [ultimate] Jesper Hess (Jesper Hess Photography) <email@example.com> sub 4096g/0xFCB67D1CBB8D9F35 2014-04-06 [expires: 2019-05-27] Key fingerprint = 3AD6 96FA 68DF 74A9 25BD 741B FCB6 7D1C BB8D 9F35 sub 4096R/0x1D85AE616D747B96 2014-10-15 [expires: 2017-10-14] Key fingerprint = 743C 6C56 0AF5 AB38 E0F7 BB30 1D85 AE61 6D74 7B96
There is a signed text version of this file here
When signing PGP/GPG keys, you are stating that you've inserted a level of trust with the owner of the key. This trust is necessary for the OpenPGP ecosystem, as OpenPGP is a distributed system that does not rely on a central authority, such as Verisign. Thus, the more signatures that exist in a single key, the more that key can be trusted. The more keys that contain signatures and sign each others keys, the larger the Web of Trust.
It's important to understand that signing each others PGP/GPG keys means you trust them. However, it's possible that we've gotten a little over zealous in the process. Really, is it necessary to check identification, even if you already know the individual? Of course, it's important to make sure that you have the right key in your possession, so exchanging fingerprints is probably a good idea, but if it's my brother or boss, is verifying their identification really that important?
One thing to remember, is that you are only verifying identity, not identification. It's not critical knowing whether or not the person can drive or travel out of the country. It's only important to verify their identity. Of course, if you don't know them, then using some government-issued identification is important.
When using GnuPG to sign someone's key, you will be asked how careful you have checked their identity. The responses are as follows:
- I will not answer. (default)
- I have not checked at all.
- I have done casual checking.
- I have done very careful checking.
Personally, I will only sign keys if I have done at least casual checking or very careful checking. I will not sign a key if I have not verified the ownership of the key. This weakens the Web of Trust. With that said, if you're interested in receiving a PGP/GPG signature from me, you can take one of the following 4 steps below, and I will sign your key:
I have done very careful checking.
- I will sign your key if we meet in person and exchange government-issued identification and key fingerprints if we don't know each other.
- I will sign your key if we cannot meet in person but someone I ultimately trust notifies me that you want a signature, and gives me your key id verbally or in person.
- I will sign your key without meeting in person and without exchanging identification and key fingerprints if I know you very well personally (such as working with you, going to school with you, family, etc.)
I have done casual checking.
- Make a color scan of your personal Danish passport or driver's license.
- On the color scan, hand write your email address and your key id.
- Compose an email with the resulting document, and digitally sign it with your key.
- Send the email to: firstname.lastname@example.org
Of course, sending me a copy of your passport or driver's license could have some identity fraud ramifications. I am certainly not interested in committing identity fraud, but to be assured, you can black out your address, CPR / social security number, birthday, passport number and/or driver's license number. Basically, I only need enough information to identify the the document and your name. Because we aren't meeting face-to-face, the photo isn't necessary. I'll remain in contact with you, if too much of the document has been removed, or the scan is unclear, or whatever. Please encrypt the mail and the scans so I am the only one who sees the information. I will securely shred, both physically and digitally, any unencrypted copies, should they be needed.