This is an old revision of the document!


PGP/GnuPG Certificate Practice Statement (CPS)

Real Names

Before I sign a PGP(Pretty Good Privacy)/GnuPG(Gnu Privacy Guard) key belonging to a real person, I check for/that:

  1. The person can present a government issued photo ID with a similar* name as that on the public key servers.
  2. The government issued ID must be from a government I recognize.
  3. The individual exercises at least the same level of caution in signing other people's keys.

*Common short forms of first names and initials for middle names are okay.

By signing this person's key and uploading the signature, I'm certifying that within the limits of casual tamper-resistant checking of government issued ID, I'm confident that the recipient is recognized under that name by that government.

I'm also certifying that the person demonstrated similar caution in signing the IDs of others.

Aliases or Pseudonyms

Before signing an alias, I check for/that:

  1. The alias is known to me
  2. The alias is reasonably well known to others who I know personally
  3. The alias has existed for at least 3 months
  4. The alias is reasonably unique and obviously an alias
  5. In the medium where the alias is being used, the person has control over the alias (e.g., they can receive email, post blog entries with predetermined content etc.)
  6. There's a lawful reason for the alias to exist
  7. The individual exercises at least the same level of caution in signing other people's keys
  8. The individual knows what a revocation certificate is and how to use one

By signing this person's alias and uploading the signature, I'm certifying that the person has demonstrated control over the alias, that I have reason to believe that they're the rightful holder of the alias in the context presented, and that the alias exists for lawful purposes.

I'm also certifying that the person demonstrated similar caution in signing the IDs of others.

Organizations or Corporations

Before signing a key for an organization or corporation (hereafter “organization”), I check for/that:

  1. The organization is known to me
  2. The organization is reasonably well known to others who I know personally
  3. The organization has existed for at least 3 months
  4. The organization name is not an obvious trademark violation or attempt to confuse or deceive
  5. That the individual representing the key has authority to create a key for the organization
  6. That the individual representing the key has access to financial or secret records
  7. There's a good, lawful reason for the organization to exist
  8. The individual exercises at least the same level of caution in signing other people's keys
  9. That the individual knows what a revocation certificate is and how to use one

By certifying an organization, I'm certifying that the individual has demonstrated authority and privilege within the organization.

I'm also certifying that the person demonstrated similar caution in signing the IDs of others.

Mike Kallies

A signed copy is available at: https://mike.kallies.ca/pgp-cps.txt