The OpenPGP
standard specifies four types of signatures on public
keys, numbered from 0x10 to 0x13. These are listed in
the Signature
Types section of the standard. (Different programs may
represent these levels differently—GnuPG displays nothing
for 0x10 and numbers 0x11 through 0x13 as 1 through 3.)
I shifted my use of these values in 2010 to more closely match
the wording in the RFC. For any signature made by me in 2010
or later, here is what I mean by each value:
0x10
Unused. If I managed to use this value, it was a mistake and
I apologize.
0x11
Email address verification only. I have verified that the
email address listed in the UID is associated with the owner
of the key. I do not make any claims about the name in the
UID.
0x12
Email address verification and cursory identity verification.
I have verified that the name in the UID matches a photo ID
that I reasonably trust to be accurate in some sense
(e.g. passport, driver's license in a state with which I am
familiar, work ID for an employer I trust, etc.). I have also
verified that the email address in the UID belongs to the key
owner.
0x13
Significant personal knowledge of the person's identity. I
have known this person for a significant period of time; the
UID accurately represents my understanding of their identity.
For signatures made in 2009 and earlier, the values have the
following meanings:
0x10
Uncategorized. This signature was made before GnuPG gained
support for specifying the level of certification. It is
possible that I may use this for a signature that I refuse to
categorize, but that has not yet happened.
0x11
Very casual certification. This signature was made on a key
of someone whom I do not know personally and have only
verified their identity via some third-party identification
that I reasonably trust. (So far, that has been limited to
state-issued driver's licenses.) The email address in the uid
appears to go to the named keyholder.
0x12
Personal knowledge of the keyholder. This signature was made
on a key belonging to someone I have known personally for long
enough that I'm reasonably sure of their identity. The email
address certainly goes to the keyholder.
0x13
Extremely high trust in the keyholder's identity. I have not
yet used this level of certification on anyone else's keys.
In order for me to do so would require that I do extensive
research on the person to verify their identity. I do not
anticipate ever doing this, so for the moment, the only keys
signed with this level of certification will be my own.
You may also check this policy
against its detached signature.