Tony Annese's PGP/OpenPGP/GPG Policy

To communicate with me using PGP/OpenPGP/GPG please use the key below.

pub   4096R/50C93F68 2012-05-12 [expires: 2020-01-03]
     Key fingerprint = 1A25 3C0C 07D2 B123 49E5  1CDB 8DD3 BE3A 50C9 3F68
uid	Tony Annese 
uid	Tony Annese 
uid	Tony Annese 
uid	Anthony Annese 
sub   4096R/29EDDBA9 2012-05-12 [expires: 2017-01-01]

You can import it from here, or any good keyserver.

Previous Keys No Longer In Use
FFC58E98 dated 2003-07-06
1E0DC081 dated 1998-09-01
BDE29711 dated 1996-06-05

Signed Keys
See the complete list of keys I have signed here

Key Signing Policy

This policy is valid from 2016-03-23 for all signatures made by the GnuPG key

pub   4096R/50C93F68 2012-05-12

     Key fingerprint = 1A25 3C0C 07D2 B123 49E5  1CDB 8DD3 BE3A 50C9 3F68

It may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one in the changelog at the bottom of this page.

I am willing to sign (= certify) the following categories of public keys:

Personal
Corporate (work e-mail addresses)
Group E-mail Addresses

I have a fairly strict key signing policy that I adhere to. This policy is described in the details below. As a part of this policy I maintain a registry of the keys I have signed and the verification steps I took before signing on this website. A link to the appropriate entry in this registry is appended to each UID I sign as a policy URL.

If you wish to meet up with me to sign your key it is recommended that you bring a hardcopy of your fingerprint (created using gpg --fingerprint) to exchange with me.

If the signee wishes to obtain a signature to a photographic user ID, the printout should contain the image of that photographic user ID. A printout or photocopy of a photo clearly showing the same person as in the photographic user ID will also be accepted.

The signee should make his/her public key available on a publicly accessible keyserver, such as https://pgp.mit.edu/. The signee should be willing to cross-sign with me.

Despite debate over the value of the different signature types (see RFC 2440 section 5.2.1). I perceive them to be beneficial, if only for my own personal use. The table below lists the minimum requirements that I will require to be satisfied before I sill sign a UID. This table is a guide and you should refer to the policy URL on an individual signature for the definitive description of the steps I took before signing that particular UID.

Type	Description	My Policy
0x10	Generic Certification	I will issue this type of signature for keys that represent a group or an organization. My signature on such a key indicates only that I am “pretty sure” that there is a correspondence between the key and the group.
0x11	Persona Certification	I do not sign with this signature type
0x12	Casual Certification	To sign your key with a casual signature I will need to have met you in person and sighted at least one(1) form of government issued photo identification such as drivers license, passport, TWIC card, military ID, etc. I prefer to have a hard copy of your UID and fingerprint especially if we are meeting in a group setting.
0x13	Positive Certification	To sign your key with a positive signature you will need to satisfy my requirements for a casual signature AND additionally, have been personally known to me for at least one year. --OR-- I will need to have met you in person and sighted at least two(2) forms government issued photo identification such as drivers license, passport, TWIC card, military ID, etc. Again, I prefer to have a hard copy of your UID and fingerprint especially if we are meeting in a group setting.

On a secure machine, I sign your key with GnuPG like so:


$ gpg --ask-cert-level \
--cert-policy-url http://www.annese.org/pgp \
--cert-notation 50C93F68@annese.org=http://annese.org/pgp/signed/%f.notes.txt \
--sign-key them@something.com

Signature levels
The ask-cert-level option allows me to tell the keyservers how carefully I have verified your IRL identity, and certified your OpenPGP identity.

What level I sign your key based on the table above.

Why are you sending me email?
If we recently met and exchanged key details with a view to signing each others keys then it is highly likely that you will receive an encrypted email from me. Within that email (when decrypted) will be the signature for your key. You will receive one email to each UID listed on your key. The purpose of these encrypted emails is to ensure that you (the holder of the key I signed) are in control of the email addresses associated with the signed UIDs.

You will receive emails to multiple UIDs, it is necessary to decrypt and import the signature from each one individually. If you need info on what to do with these you can find the info at https://www.phildev.net/pgp/gpgsigning.html in the Making signatures you receive available section toward the bottom.

Comments
If you have comments about my key signing policy, please feel free to contact me using the first UID in my key. Changelog

23 Mar 2016 - First Version based off of https://diti.me/pgp/ ,https://www.mattb.net.nz/keys/ , https://esham.io/pgp-key-signing-policy , and http://www.elho.net/crypto/policy/
25 Apr 2016 - Revised policy to reflect only Government Issued photo ID needed/required for signature purposes.