Last Updated: March 26, 2016

This page contains my key signing policy. ¯\_(ツ)_/¯
You probably don’t need to read this.

Signing Situations

In many key signing contexts, users don’t like to have their keys (and signatures) sent to public key servers. For some (like journalists and activists), this is because the metadata of who you are communicating with and who you are associating with may be sensitive. Because of this, I often email the signatures directly to the key owner, rather than upload keys myself; it is up to the recipient to decide whether to publicy share their signed key. (For folks with several e-mail addresses attached to their PGP key, this has the added benefit of validating that they have access to that address, and can receive PGP-encrypted e-mail to that address.)

In some situations, such as workshops, where 1) I am present for the creation of a key, 2) it is not unusual or sensitive knowledge that the key owner and I were associated through this event or otherwise, and 3) the key owner wishes to make their key public on a keyserver, I will sometimes sign keys and upload signatures soon after the event, to help certify the newly-created key and demonstrate the web of trust concept.

Confirming Key Ownership

There are four different “certification types” in the PGP spec. Most software just sticks with “generic” as the default.

Technical

I generally use caff to handle signing and sending signed keys.

The “master key” portion of my PGP key is stored offline, on an airgapped Tails instance, and all key signing takes place there. (TODO: Someday I’ll write about juggling data between a networked Tails and an airgapped Tails to make caff happy and usable.)

Please visit this page to download my public key (0xA993E7156E0E9923) and see how to validate that.

-Mike Tigas [web] [twitter]