Signing people with only one form of ID?

Robert J. Hansen rjh at
Thu Feb 28 03:45:50 CET 2008

Another couple of thoughts--

> I know I am free to do whatever I want, but I am looking for
> feedback and, perhaps, consensus from the community.

If I recall correctly, OpenPGP explicitly has six different 
certification levels (in the range 0-5), but it does not specify any 
semantic meaning to each level.  They make recommendations, but those 
recommendations are not really binding.

To muddy the waters further, many OpenPGP implementations either fail to 
support certification-level distinctions, or make you jump through hoops 
in order to do it.  Those hoops are often error-prone.

E.g., GnuPG.  GnuPG's default certification level is a 3.  If I see a 
signature on someone's key, I know absolutely nothing.  Maybe it's a 
simple persona-level cert, in which case they should have certified it 
with a 0 but they just forgot to set the cert level.  Maybe it's a "I 
have his DNA and fingerprints on file with me and I asked the FBI to 
check him out", in which case they should have certified it as a 5 but 
they just forgot to set the cert level.  Etc., etc.

Because of these three factors--no semantic meaning associated with 
certification levels, some OpenPGP implementations not supporting the 
distinctions, and many implementations making it easy to forget that 
such distinctions exist--my default policy is to treat all signatures as 
unchecked persona-level IDs unless I know the signer personally and know 
they have a signature policy.

More information about the Gnupg-users mailing list