PGP Sign Policy

The following is the process I follow when signing other people's keys.

Summary

This policy applies to signatures made with the following keys.

    sec   ed25519/0x15F4180E73787863 2021-07-14 [C] [expires: 2027-01-01]
          Key fingerprint = 892E BC7D C392 DFF9 C9C0  3F1D 15F4 180E 7378 7863
    uid                   [ultimate] Coelacanthus <coelacanthus@outlook.com>
    uid                   [ultimate] Coelacanthus <CoelacanthusHex@gmail.com>
    uid                   [ultimate] Coelacanthus <i@coelacanthus.moe>
    uid                   [ultimate] Celeste Liu (For AOSC) <coelacanthus@aosc.io>
    ssb>  ed25519/0xE35C89E45867AE35 2021-07-14 [S] [expires: 2027-01-01]
          Key fingerprint = 16B9 E5EB A675 E2F0 A60D  3498 E35C 89E4 5867 AE35
    ssb>  cv25519/0x7C20D9B5ED32703C 2021-07-14 [E] [expires: 2027-01-01]
          Key fingerprint = C943 E5E3 7E4B AC37 AA1F  AE6E 7C20 D9B5 ED32 703C
    ssb>  ed25519/0x06F96A0FB5AD258D 2021-07-14 [A] [expires: 2027-01-01]
          Key fingerprint = 8977 A899 55F9 0095 55E9  D344 06F9 6A0F B5AD 258D

You can get my PGP key by doing one of the following.

-   gpg --keyserver hkps://keys.gnupg.net --recv-keys 892EBC7DC392DFF9C9C03F1D15F4180E73787863
-   gpg --fetch-keys 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x892ebc7dc392dff9c9c03f1d15f4180e73787863'
-   gpg --fetch-keys 'https://pgp.mit.edu/pks/lookup?op=get&search=0x15F4180E73787863'
-   gpg --fetch-keys 'https://pgp.surf.nl/pks/lookup?op=get&search=0x15F4180E73787863'
-   gpg --fetch-keys 'https://pgp.gnd.pw/pks/lookup?op=get&search=0x892ebc7dc392dff9c9c03f1d15f4180e73787863'
-   gpg --fetch-keys https://keybase.io/coelacanthus/key.asc

or QR code

[]

Please note

-   Be sure to use the full key ID when importing keys with --recv-keys,
    there is information that key collisions are possible.
-   Please use hkps://keys.openpgp.org as keyserver when importing keys
    with --recv-keys, using other keyservers may expose you to
    Certificate Flooding Attack.

Note that on the public key server group, there exist three public keys
using the same Name as me, they are my former test public keys or fake
keys, please refer to my key ownership statement.

This policy was originally written on 2021-08-16 and has been in effect
since that date, but maybe superseded by newer versions at any time. The
structure and content of this document are inspired by Allen Zhong's PGP
Key Signing Policy and Outvi V's GPG Signing Policy.

Signature Policy

Signature level

According to the GPG manual and OpenPGP Message Format, signatures are
now classified into the following four levels: Generic (0), Persona (1),
Casual (2),  Positive (3).

-   Level 0 (Pervasive Certification)

  Won't sign to ensure a monotonic increment in the trust level.

-   Level 1 (Persona Certification)

  I do not make any guarantee for it。

-   Level 2 (Casual Certification)

  Sign only if I meet with them offline and verify their identity (or
  other means of authentication of the same level), I have verified the
  relevance of the key, the e-mail address used, and the social entity.

-   Level 3 (Positive Certification)

  I believe that the private key controller of this GPG public key is
  trusted, has some understanding of the GPG, and can reasonably sign
  other people.

Please note that because of the default configuration of GNUPG, Level 0
certification is considered a trusted signature, but Level 1 is not
considered a trusted signature (i.e., it does not participate in the
construction of the chain of trust). I have decided for this situation
that Level 0 signatures will not be made.

Signature Process

Level 1

You need to send me an email requesting a Level 1 signature with the
following content

-   key fingerprint
-   Which key server the key is uploaded to
-   The UID you want me to sign, or leave this blank if you want me to
    sign all UIDs
-   Some notes about the desired Level 1 signature

The email should be signed with the key to be signed and encrypted with
my public key.

Level 2

This happens when we meet offline.

Principle of fairness

For signatures I request from others, I will sign their keys at the same
level (according to their signature policy). I also want to get the same
level of signature from the holder of the key I signed as the one I
made.

I want to cross-sign the key, so if the signed person does not want to
sign my key, there is no point in making a signature request to me.

Changelog

-   2021-08-16: First draft
-   2022-02-20: Add keyserver of MIT and Ubuntu
-   2022-02-24: Add QR Code
-   2022-02-24: Only sign Level 2 and 3
-   2022-03-13: Correct spell error
-   2022-03-13: Remove keys.openpgp.org as it does not preserve
    signatures
-   2022-03-13: Fix Outvi V's signature policy link
-   2022-03-13: Fix signature levels which will be made

Credit

Copyright (C) 2021-2022 Celeste Liu.

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation.

  A signed version of this documentation is available at:
  https://pgp.coelacanthus.moe/policy-signed.txt