[Enigmail] Certificate signing policy

Robert J. Hansen rjh at sixdemonbag.org
Wed Mar 4 07:48:22 CET 2015


Here at Circumvention I've been surprised by the number of people who
have been asking me to sign their certificates.  For all that the Web of
Trust is mostly a broken technology, there are still clearly a lot of
people who rely on it.  There are also a lot of disconnected, isolated
communities of privacy enthusiasts who would like to have some way to
communicate in a trusted way with other communities.

They're hoping that Enigmail will be able to help, since we have a
certificate set which is widely trusted within the community.  (Set
aside for right now arguments over whether people *should* trust our
certificates without doing face-to-face meet-ups and fingerprint
verifications and everything else; clearly, people *do* trust our
certificates.)

So, if you see my signature on a certificate, here's what it means.  I have:

	1.  Met this person face-to-face
	2.  Received their fingerprint from them
	3.  Received their email address from them
	4.  Seen at least one form of government-issued
	    identification
        5.  Verified the email address on their user ID
            matches the email address they gave me
        6.  Verified the fingerprint on their certificate
            matches the fingerprint they gave me

Finally, I do not upload certificates to the keyservers without the
certificate owner's permission.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/attachments/20150304/7ffc2b01/attachment.sig>


More information about the enigmail-users mailing list