Penguin
Recent Changes
Annotated edit history of SigningAKey version 3 showing authors affecting page license. View with all changes included.
Rev Author # Line
1 MattBrown 1 [SigningAKey] is an [OpenPGPConcept] that denotes trust in the KeyValidity of the key being signed. By signing a key, you are indicating that you trust that it belongs to it's owner and that they are who they say they are.
2
3 It is important that you only sign keys where you have personally verified the owners identity, and their possession of the key. You should exercise much care in signing keys, as others may want to use your signatures to determine CalculatedTrust for a key they cannot personally verify. See KeyValidity for instructions on how to verify the validity of a key.
4
5 !! How to sign a key
6
7 * Ensure the public key is in your keyring (if it isn't see [GPG/PGPNotes] for how to find it)
8 * Ensure that you have correctly completed the KeyValidity tasks and are satisified that the key is valid
9 * Open the key in gpg
10 * gpg --edit-key <key-id>
11 * Select the uid(s) that you wish to sign
12 * uid <s>
13 * Sign them
14 * sign
15 * Save the changes
16 * save
17 * You should now email the signed key back to it's owner, so they can publish it to their preferred keyserver
3 CraigBox 18
19 !!Automating that process
20
21 See KeySigningScripts, especially the section on 'caff'.
1 MattBrown 22
23 !! Types of Signature
24 The [OpenPGP] standard defines several different types of signatures that can be used to denote varying levels of trust in the identity of the key's owner. These are
25
26 <?plugin OldStyleTable
27
28 |__Signature Type__|__Name__|__Description__
29 | 0x10 | Generic certification | The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the user ID. Note that all PGP "key signatures" are this type of certification.
30 | 0x11 | Persona certification of a User ID and Public Key packet | The issuer of this certification has not done any verification of the claim that the owner of this key is the user ID specified.
31 | 0x12 | Casual certification of a User ID and Public Key packet | The issuer of this certification has done some casual verification of the claim of identity.
32 | 0x13 | Positive certification of a User ID and Public Key packet | The issuer of this certification has done substantial verification of the claim of identity.
33 ?>
34
35 The standard notes
36 ;:Please note that the vagueness of these certification claims is not a flaw, but a feature of the system. Because PGP places final authority for validity upon the receiver of a certification, it may be that one authority's casual certification might be more rigorous than some other authority's positive certification. These classifications allow a certification authority to issue fine-grained claims.
37
38 These types of signature are somewhat controversial, and arguably, are no use at all for several reasons
39 * All [PGP] clients are only capable of generate 0x10 signatures
40 * The [OpenPGP] standard does not define a trust model, so there is no programmatic way to determine if the trust indicated by one persons 0x12 signature, is that same as any other 0x12 signature.
41
42 The best solution to this seems to be,
43 * If you care, generate signatures using 0x12 and 0x13, and attach a policy-url describing how you verifyed the keyholders identity, if you don't want to do this, you should sign keys with 0x10
44 * Recognise that 0x12 and 0x13 signatures may have varying meanings
45 * NEVER generate 0x11 signatures, why would you sign a key without verifying the keyholders indentity...?
2 MattBrown 46
47 ----
48 Part of CategoryCryptography