home of the madduck/ blog/
Formalising my keysigning policy

In preparation of the keysigning event at DebConf9, I've been inspired by Adrian von Bidder's signing policy and drafted my own keysigning policy.

Comments welcome!

Once the document is finalised, I will tell caff to include a cert-policy-url with all certifications (key signatures) the new key will make. To allow people to verify that I have not changed the policy since the certification, the URL will include an SHA512 hashsum in the "query string". This is also based on Adrian's idea.

Those who remember my previous keysigning experiments might be glad to find that I have included the step of identity verification with a legal document. A recent thread on debconf-discuss, and in particular four messages in that thread, made me realise that I've been barking up the wrong tree. There are good reasons for this level of verification, especially in a project like Debian.

However, and this is the essence of my concern, I believe that a GPG certification should be more than the verification of such a document. A key signature should also be a statement that the person is actually known to the signer. This is what I tried to specify in the first two points of my certification policy.

I think that if we avoid signing keys of people whom we haven't met before, then the web of trust will be strengthened substantially. Adding the verification step by way of a legal document will make it easier for us to track down a contributor in the unlikely event of abuse of his/her privileges.

NP: Deep Purple: Made in Japan