C:\>gpg --fingerprint f8be0b1d pub 4096R/F8BE0B1D 2011-06-25 Key fingerprint = 132B 3C23 28EB 908F 524B A6F5 F001 E1C8 F8BE 0B1D uid Paul Walker <firstname.lastname@example.org> uid Paul Walker <email@example.com> sub 4096R/6BB8CC8E 2011-06-25
This key has been replaced by F8BE0B1D. It may be revoked at some point.
C:\>gpg --fingerprint 99331194 pub 1024D/99331194 2007-07-25 Key fingerprint = ABE3 EDFC F566 5A79 9842 6CD9 DED0 B3CF 9933 1194 uid Paul Walker <firstname.lastname@example.org> uid Paul Walker <email@example.com> uid Paul Walker (P72endragon) <firstname.lastname@example.org> sub 2048g/948B578B 2007-07-25
Key Signing Policy
If you want me to sign a key, I need to satisfy myself that:
- You own the private key
- You own the the e-mail address(es) on the user ID’s
- The name on the user ID is correct/not misleading
Satisfying conditions 1 and 2 is done by means of me sending an e-mail to each user ID on the key you want me to sign. The e-mail will contain an encrypted message. If you can decrypt it and send it back to me in an e-mail signed by the same key, then that confirms the link between the private key and the e-mail address.
Condition 3 is a little trickier. Unless I know you well, the only way to do this is to meet and for you to show me some ID. You will also need to give me the fingerprint of the key.
There is an interesting paragraph in this “keysigning party howto” document where it talks about signing “role keys” or “pseudonym keys”. If you want me to sign such a key, please get in touch and we’ll see if we can work something out.
I’m concious that GPG has pretty steep learning curve, and is hardly getting any traction outside of the “geek” community. With that in mind, I don’t see why keysigning has to be overly complex or formal (reading some people’s keysigning policies, it’s easier to get a passport than to get them to sign your key!). This seems to be in agreement with comments from Phil Zimmermann.