GnuPG Key Signing Policy of Paul David Doherty

v1.0.2, last modified: 21.4.2007 23:25:12 CET

stylesheet: [black] [white] [none]


  1. Preamble
  2. Location
  3. Prerequisites for signing
  4. The act of signing
  5. Levels of signatures
  6. Trace the path to my keys
  7. Changelog
  8. License


This policy is valid for all signatures made by the following GnuPG keys:

pub   1024D/7E3091FF 2001-10-07
uid                  Paul David Doherty <42!>
sub   1024g/E748AFDD 2001-10-07
sub   4096R/5889A856 2006-01-08
sub   1024D/5340383A 2006-01-08
 Fingerprint: B681 4A2C 02A4 423F 38EB  262A 5350 AC63 7E30 91FF

pub   1024R/B02D3A75 1996-07-16
uid                  Paul David Doherty <42!>
 Fingerprint: 0A 4B D3 B9 30 67 65 BE  35 D3 1C 8D 06 74 05 A5

Please note: in this listing of key data "@" has been replaced by "!" - thank the spammers, the scum of the universe.

The keys can be fetched from keyservers like or Or just download them from here:

The v3 key with ID 0xb02d3a75 is only used for correspondence with people unable to use the current v4 keys (i.e. users of PGP 2.6.x); generally this key does not need to be signed unless you are using a v3 key, since signatures on v3 keys made with v4 keys are not useful to PGP 2.6.x users.

This signing policy was adapted from the signing policy of markus reichelt, which was adapted from the signing policy of Marcus Frings, which was adapted from the signing policies of Marc Mutz and Jörgen Cederlöf. This document was originally adapted to my needs on 2006-01-09 and will be followed from that date on. My signing policy might be replaced without further notice, though. In such a case this document will be linked in the new one.

This document is located at


I live in the center of Berlin, the capital of the Federal Republic of Germany, and I am always open to sign keys in my region. The easiest way to verify identity and exchange signed keys would be to meet in Berlin. Meetings at computer related conferences or other events are possible as well. I am also listed on, a site about key signing coordination.

Prerequisites for signing

The signee (the key owner who wishes to obtain a signature to his key from me, the signer) must make his public key available on a publicly accessible keyserver.

The signee must prove his identity to me by way of a valid passport (or identity card) or a valid driving license, featuring a photographic picture of the signee. At least one of the UIDs on the signee's key must feature his or her real name, so a key only containing a pseudonym will not be signed. I will only sign UIDs that contain the signee's real name.

I will check both of these tokens for people I don't personally know. No exceptions.

The signee shall prepare a strip of paper with a printout of the output of

gpg --fingerprint 0x12345678

(or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key to be signed.

A handwritten piece of paper featuring the fingerprint and all UIDs the signee wants me to sign will also be accepted.

I only sign a key under the mutual agreement of cross-signing. No cross-signing, no deal.

A signing request may be declined without giving reasons.

The act of signing

After having received sufficient proof of identity I will sign the signee's piece of paper myself to avoid fraud.

I will send one email to each of the addresses listed in the UIDs I was asked to sign. These verification mails contain random strings and will be signed and encrypted to the public key whose fingerprint is printed on the sheet.

Upon reception of encrypted and signed replies I will check the returned random strings for equality with my records.

UIDs which pass the test are signed. If one of the UIDs fails the test a warning will be sent to the signee and the procedure will be halted until a satisfactory explanation is given.

The signed keyblock will then be mailed to the signee, and the signee emails my signed keys to me.

Levels of signatures

I use only two different levels of signatures, and here's why:

Level 3
A level of 3 is given to sign-and-encrypt keys which successfully pass the following checks: I have met the signee in person, I have verified his passport (or identity card) or driving license, his key's fingerprint, and his reply to my verification mails has been correct. Photographic UIDs are also going to be signed with a level of 3.
Level 2
A level of 2 is given to sign-and-encrypt keys which successfully pass the following checks: I have verified the signee's passport (or identity card) or driving license, his key's fingerprint, and his reply to my verification mails has been correct. Photographic UIDs are also going to be signed with a level of 2 in this case.
Level 1
A level of 1 will never be used by me. I never sign keys without proper verification of identity.
Level 0
A level of 0 will never be used by me. I only sign keys of real persons.

Please note that I will not accept sign-only keys for signing. Any signatures added to sign-only keys in error will be revoked.

Trace the path to my keys

You can use Henk P. Penning's pathfinder at which additionally provides alternative paths.

your key id :            
your key id :            
stats :           


Version 1.0.0, 2006-01-09:
Initial release. Adapted from markus reichelt's Version 1.2.0, 2005-10-23.
Version 1.0.1, 2007-02-16:
Cosmetics: Stylesheet code had stopped working. Fixed.
Version 1.0.2, 2007-04-21:
Jason Harris' pathfinder removed (has stopped working)


Copyright (c) 2006,2007 Paul David Doherty. (Original copyright (c) 2004 markus reichelt.)

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.

Paul David Doherty <>
Last modified: 21.4.2007 23:25:12 CET
main site Valid HTML 4.01! Valid CSS! any browser!