The following is the process I follow when signing other people’s keys.
(简体中文版本) (正體中文版本) (Plain Text Version)
This policy applies to signatures made with the following keys.
sec ed25519/0x15F4180E73787863 2021-07-14 [C] [expires: 2027-01-01]
Key fingerprint = 892E BC7D C392 DFF9 C9C0 3F1D 15F4 180E 7378 7863
uid [ultimate] Coelacanthus <[email protected]>
uid [ultimate] Coelacanthus <[email protected]>
uid [ultimate] Coelacanthus <[email protected]>
uid [ultimate] Celeste Liu (For AOSC) <[email protected]>
ssb> ed25519/0xE35C89E45867AE35 2021-07-14 [S] [expires: 2027-01-01]
Key fingerprint = 16B9 E5EB A675 E2F0 A60D 3498 E35C 89E4 5867 AE35
ssb> cv25519/0x7C20D9B5ED32703C 2021-07-14 [E] [expires: 2027-01-01]
Key fingerprint = C943 E5E3 7E4B AC37 AA1F AE6E 7C20 D9B5 ED32 703C
ssb> ed25519/0x06F96A0FB5AD258D 2021-07-14 [A] [expires: 2027-01-01]
Key fingerprint = 8977 A899 55F9 0095 55E9 D344 06F9 6A0F B5AD 258DYou can get my PGP key by doing one of the following.
gpg --keyserver hkps://keys.gnupg.net --recv-keys 892EBC7DC392DFF9C9C03F1D15F4180E73787863gpg --fetch-keys 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x892ebc7dc392dff9c9c03f1d15f4180e73787863'gpg --fetch-keys 'https://pgp.mit.edu/pks/lookup?op=get&search=0x15F4180E73787863'gpg --fetch-keys 'https://pgp.surf.nl/pks/lookup?op=get&search=0x15F4180E73787863'gpg --fetch-keys 'https://pgp.gnd.pw/pks/lookup?op=get&search=0x892ebc7dc392dff9c9c03f1d15f4180e73787863'gpg --fetch-keys https://keybase.io/coelacanthus/key.ascor QR code
Please note
--recv-keys, there is information that key collisions are possible.hkps://keys.openpgp.org as keyserver when importing keys with --recv-keys, using other keyservers may expose you to Certificate Flooding Attack.Note that on the public key server group, there exist three public keys using the same Name as me, they are my former test public keys or fake keys, please refer to my key ownership statement.
This policy was originally written on 2021-08-16 and has been in effect since that date, but maybe superseded by newer versions at any time. The structure and content of this document are inspired by Allen Zhong’s PGP Key Signing Policy and Outvi V’s GPG Signing Policy.
According to the GPG manual and OpenPGP Message Format, signatures are now classified into the following four levels: Generic (0), Persona (1), Casual (2), Positive (3).
Won’t sign to ensure a monotonic increment in the trust level.
I do not make any guarantee for it。
Sign only if I meet with them offline and verify their identity (or other means of authentication of the same level), I have verified the relevance of the key, the e-mail address used, and the social entity.
I believe that the private key controller of this GPG public key is trusted, has some understanding of the GPG, and can reasonably sign other people.
Please note that because of the default configuration of GNUPG, Level 0 certification is considered a trusted signature, but Level 1 is not considered a trusted signature (i.e., it does not participate in the construction of the chain of trust). I have decided for this situation that Level 0 signatures will not be made.
You need to send me an email requesting a Level 1 signature with the following content
The email should be signed with the key to be signed and encrypted with my public key.
This happens when we meet offline.
For signatures I request from others, I will sign their keys at the same level (according to their signature policy). I also want to get the same level of signature from the holder of the key I signed as the one I made.
I want to cross-sign the key, so if the signed person does not want to sign my key, there is no point in making a signature request to me.
Copyright (C) 2021-2022 Celeste Liu.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation.
A signed version of this documentation is available at: https://pgp.coelacanthus.moe/policy-signed.txt