PGP Signature Policy

The OpenPGP standard specifies four types of signatures on public keys, numbered from 0x10 to 0x13. These are listed in the Signature Types section of the standard. (Different programs may represent these levels differently--GnuPG displays nothing for 0x10 and numbers 0x11 through 0x13 as 1 through 3.)

I shifted my use of these values in 2010 to more closely match the wording in the RFC. For any signature made by me in 2010 or later, here is what I mean by each value:

0x10
Unused. If I managed to use this value, it was a mistake and I apologize.
0x11
Email address verification only. I have verified that the email address listed in the UID is associated with the owner of the key. I do not make any claims about the name in the UID.
0x12
Email address verification and cursory identity verification. I have verified that the name in the UID matches a photo ID that I reasonably trust to be accurate in some sense (e.g. passport, driver's license in a state with which I am familiar, work ID for an employer I trust, etc.) I have also verified that the email address in the UID belongs to the key owner.
0x13
Significant personal knowledge of the person's identity. I have known this person for a significant period of time; the UID accurately represents my understanding of their identity.

For signatures made in 2009 and earlier, the valuse have the following meanings:

0x10
Uncategorized. This signature was made before GnuPG gained support for specifying the level of certification. It is possible that I may use this for a signature that I refuse to categorize, but that has not yet happened.
0x11
Very casual certification. This signature was made on a key of someone whom I do not know personally and have only verified their identity via some third-party identification that I reasonably trust. (So far, that has been limited to state-issued driver's licenses.) The email address in the uid appears to go to the named keyholder.
0x12
Personal knowledge of the keyholder. This signature was made on a key belonging to someone I have known personally for long enough that I'm reasonably sure of their identity. The email address certainly goes to the keyholder.
0x13
Extremely high trust in the keyholder's identity. I have not yet used this level of certification on anyone else's keys. In order for me to do so would require that I do extensive research on the person to verify their identity. I do not anticipate ever doing this, so for the moment, the only keys signed with this level of certification will be my own.

You may also check this policy against its detached signature.


Phil! Gold