Penguin

SigningAKey is an OpenPGPConcept that denotes trust in the KeyValidity of the key being signed. By signing a key, you are indicating that you trust that it belongs to it's owner and that they are who they say they are.

It is important that you only sign keys where you have personally verified the owners identity, and their possession of the key. You should exercise much care in signing keys, as others may want to use your signatures to determine CalculatedTrust for a key they cannot personally verify. See KeyValidity for instructions on how to verify the validity of a key.

How to sign a key

  • Ensure the public key is in your keyring (if it isn't see GPG/PGPNotes for how to find it)
  • Ensure that you have correctly completed the KeyValidity tasks and are satisified that the key is valid
  • Open the key in gpg

    • gpg --edit-key <key-id>
  • Select the uid(s) that you wish to sign

    • uid <s>
  • Sign them

    • sign
  • Save the changes

    • save
  • You should now email the signed key back to it's owner, so they can publish it to their preferred keyserver

Automating that process

See KeySigningScripts, especially the section on 'caff'.

Types of Signature

The OpenPGP standard defines several different types of signatures that can be used to denote varying levels of trust in the identity of the key's owner. These are

 Signature Type   Name   Description 
 0x10   Generic certification   The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the user ID. Note that all PGP "key signatures" are this type of certification. 
 0x11   Persona certification of a User ID and Public Key packet   The issuer of this certification has not done any verification of the claim that the owner of this key is the user ID specified. 
 0x12   Casual certification of a User ID and Public Key packet   The issuer of this certification has done some casual verification of the claim of identity. 
 0x13   Positive certification of a User ID and Public Key packet   The issuer of this certification has done substantial verification of the claim of identity. 

The standard notes

Please note that the vagueness of these certification claims is not a flaw, but a feature of the system. Because PGP places final authority for validity upon the receiver of a certification, it may be that one authority's casual certification might be more rigorous than some other authority's positive certification. These classifications allow a certification authority to issue fine-grained claims.

These types of signature are somewhat controversial, and arguably, are no use at all for several reasons

  • All PGP clients are only capable of generate 0x10 signatures
  • The OpenPGP standard does not define a trust model, so there is no programmatic way to determine if the trust indicated by one persons 0x12 signature, is that same as any other 0x12 signature.

The best solution to this seems to be,

  • If you care, generate signatures using 0x12 and 0x13, and attach a policy-url describing how you verifyed the keyholders identity, if you don't want to do this, you should sign keys with 0x10
  • Recognise that 0x12 and 0x13 signatures may have varying meanings
  • NEVER generate 0x11 signatures, why would you sign a key without verifying the keyholders indentity...?

Part of CategoryCryptography