tensixtyone

Introduction

GNU Privacy Guard, also known as GnuPG or GPG, is a complete and free implementation of the OpenPGP Message Format. OpenPGP, originally derived from PGP, provides methods of encrypting data, and perhaps more useful to many people, create digital signatures to help ensure integrity of data. By digitally signing my communications, I give both me and the recipients a level of assurance that:

1. The message was signed with my private key (presumably by me); and
2. The message has not been altered.

When communicating with me, please consider using OpenPGP to sign your messages.

I am currently living in Widnes, Cheshire and I commute daily to Birchwood on the outskirts of Warrington. I also attend Liverpool LUG, Manchester LUG, and Manchester Free Software. I am also listed on BigLumber.

PLEASE DONT CONTACT ME REGARDING KEY SIGNING - This is due to a lack of formal idenification. I’ll only provide/accept Level 1 signatures, anything higher at the moment would weaken the web of trust.

Public Keys

pub   1024D/9FC9C84A 2005-07-28 [expires: 2010-07-28]
uid                  Andrew Williams
uid                  Andrew Williams
uid                  Andrew Williams
uid                  Andrew Williams
sub   2048g/AA0F7BF1 2005-07-28 [expires: 2010-07-28]

pub   1024D/E05CFFC0 2008-09-09 Andrew Williams <andy!tensixtyone.com>
 Primary key fingerprint: 0AE1 B241 E8B5 A79C 45C9  F816 3985 D463 E05C FFC0

sec   1024D/E05CFFC0 2008-09-09
uid                  Andrew Williams <andy!tensixtyone.com>
uid                  Andrew Williams <nik_doof!nikdoof.net>
uid                  Andrew Williams <nikdoof!gmail.com>
ssb   1024g/002C2433 2008-09-09

Key 9FC9C84A has been comprimised. DO NOT USE.

Email addresses have been removed, this key is available on all major key servers.

Key Signing

The signee (the key holder who wishes to obtain a signature from me, the signer) must make his/her OpenPGP public key available on a publicly accessible key server, such as the .pgp.net key servers, or on a publicly accessible web server for which the signee provides the URL.

The signee must prove his/her identity to the signer by way of a valid identity card or a valid driving license or passport. All photgraphic IDs must look similar to the signee and I reserve the right to reject signing if it does not present a likeness to the current holder.

The signee should have prepared a piece of paper with the, printed or hand-written, output from:

gpg --fingerprint KEYID

(where KEYID is the ID of the key that is to be signed).

The above must take place under reasonable circumstances, each signee must be willing to allow time for full review of their key data and identifcation, and not place the signer under any duress to speed up the proceedure.

The signee should be willing to cross-sign with the signer unless a reasonable case not to is presented.

The Act of Signing

After having received (or exchanged) the proof detailed in the above, I will send one email to each of the mail addresses which are listed in the UIDs which I was asked to sign. These verification emails contain random strings, and will be signed by me and encrypted to the public key whose fingerprint is shown on the paper.

Upon reception of encrypted and signed replies, I will check the returned random string for equality with what I sent. The reply must be signed with the key that I was asked to certify, even if the challenge was encrypted to a different key.

UIDs which pass the above test will be signed. If one of the UIDs fails the test, a warning will be sent to one of the other mail addresses and the procedure will be halted until a satisfactory explanation has been received, or the procedure has been cancelled by the signee.

The signed key block will then be uploaded to a public key server and/or sent to the signee.

Levels of Signatures

Dependending on the character of the key which is to be signed by me, I will use different levels of signatures:

• Level 3 (positive certification): A level of 3 is given to sign-and-encrypt keys which successfully pass all the checks: I have met the signee, I have verified his/her identity with formal identification, fingerprint, and the replies to the email challenges were correct. Photographic UIDs that are a true likeness of the signee will also be signed with a level of 3. These signatures are the strongest in my web of trust.
• Level 2 (casual certification): A level of 2 is keys where I have validated the person’s formal identification and received a copy of their Key ID personally from them, but further email verification hasn’t been completed. In other cases, this level would be given to sign-only keys.
• Level 1 (persona certification): A level of 1 is given in situations when i’ve not validated their identity against formal identification, but i’ve got enough corroborating evidence (such as proof of address, a bank statement, etc) that the person is who they say they are. This level mostly relies on the verification of trusted institutions (such as banks or trade societies). These signatures should not be regarded as fully trusted by third parties and are mearly a stepping stone to a more trusted level.
• Level 0 (generic certification): A level of 0 is given to keys of Certification Authorities. Usually the fingerprints of those keys have to be verified by getting them from the corresponding web site of the CA and can not be checked by exchange with a member of the CA who is in charge. These signatures or the weakest in my web of trust.

Acknowledgements

Simon Ward’s policy was the basis for this document.

Change Log

v1.0 (25/07/08) - Inital Revision
v1.1 (31/08/08) - Modification to Level 1 to accept basic signatures with corroborating evidence from trusted insitutions.
v1.2 (05/09/08) - Revoked 9FC9C84A, key comprimised.
v1.3 (13/09/08) - Key E05CFFC0 added.