Last Updated: March 28, 2017

This page contains my key signing policy. ¯\_(ツ)_/¯

You probably don’t need to read this; visit this page instead if you’re looking for my key and how to verify it.

Signing & Sending Signatures

Occasionally folks don’t like to have their keys (and signatures) sent to public key servers. For some, this is because the metadata of who you are communicating with and who you are associating with may be sensitive.

Therefore, depending on the situation I will sometimes email my signatures directly to the key owner, rather than upload keys myself; it is up to the recipient to decide whether to publicy share their signed key. (For folks with several e-mail addresses attached to their PGP key, this has the added benefit of validating that they have access to — and can receive PGP-encrypted e-mail at — that address.)

Confirming Key Ownership

There are a few different “certification types” in the PGP spec; most software using the default generic flag. Usually I’ll sign a key with one of the two bits:

Technical

When coming back from a keysigning party, I’ll sometimes use caff to handle signing and sending signed keys.

The “master key” portion of my PGP key is stored offline, on an airgapped Tails instance, and all key signing takes place there.

Please visit this page to download my public key (0xA993E7156E0E9923) and see how to validate that.

-Mike Tigas [web] [twitter]