OpenPGP Key Signing Policy of Henrik Nordström


  1. Preliminaries
  2. Prerequisites for signing
  3. Signature Classes
  4. The act of signing
  5. Changelog


This policy is valid from the 29 of October, 2006, for signatures made by the OpenPGP key with Key ID 0x39CC33DB, created 2004-12-21, fingerprint

pub   1024D/39CC33DB 2004-12-21
      Key fingerprint = 7995 07A7 43F2 18BF 7F55  5459 E75E 90C0 39CC 33DB

It may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one.

This is version 2006-10, the first revision. It can also be found under found under the URL Current revision of this policy can always be found under the URL

This document has been signed and can be verified by GnuPG or other OpenPGP compatible tools.

Prerequisites for signing

The signee (ie. the key holder who wishes to obtain a signature from me, the signer) must make her OpenPGP public key available on a publicly accessible keyserver, such as the servers.

The signee must prove her identity to me by way of a national ID card, a driver's licence or a credit card. The token must feature a photographic picture of the signee.

For people from outside the European Union, only a combination of at least two of the above tokens will be accepted. Exceptions will be made when the signee can come up with other means of proof of identity. But at least one of the above tokens will stay the minimum requirement.

The signee should have prepared a strip of paper with a printout of the output of

gpg --fingerprint 0xDEADBEEF

(or an equivalent command if she is not using GnuPG), where 0xDEADBEEF is the key ID of the key that is to be signed.

Signature Classes

I will sign keys using one of three signature classes:

Signature Class III
Used when it has been verified within reasonable doubt that the email address really belongs to the key owner. Typically this is done by sending the signature in encrypted form to the signee
Signature Class II
Used for sign-only keys where only the identity of the key holder have been verified.
Signature Class 0
Psuedo-identity signatures, or other weak bindings. I.e. persons using a psuedonym instead of their real name or non-personal keys.

A signature of Class III always means the name and email addresses were verified to belong to the signee.

A signature of Class II always means the email addresses were not verified to belong to the signee, only the name has been verified.

A signature of Class 0 ueually means that the name of the signed key identity could not be verified, but I have verified the identity of someone using this identity in person.

The act of signing

The signee should present a strip of paper containing the name of the signee and the key fingerprint to me in person together with recognised identifications means. For efficiency, exceptions will be accepted on larger keysigning parties following reasonable procedures.

At home, I will send encrypted emails containing the signatures to each user ID found in the verified keys, one email per ID and containing only the signature for that specific ID. It's the signees responsibility to publish the signature on relevant key servers.

For sign-only keys without encryption keys at most a Class II signature will be issued, unless the email address can be verified by other strong means.

The signee may ask for the signature to be distributed by other means, in which case typically at most a Class II signature will be issued.


Layout change to have the signature classes listed in strength order matching the comments. Content unchanged.
Inivial revision. Based on the OpenPGP Key Signing Policy of Marc Mutz (v2) but modified to reflect my policy which has been in use since the creation of my current key.
Henrik Nordström, 2006-10-29