Benjamin Esham

PGP Key Signing Policy

I don’t use it very much but I do have a PGP key. This document describes the semantics of the signatures I make on other people’s keys.

At any given time I have one active personal key and one active work key. (I only use the work keys for work-related things so their details are not given here.) The policy on this page applies to any signatures that point to this document as the policy URL.

Here’s a summary of my personal key (which you can download here):

4096-bit RSA public key
Creation date: 2014-09-19
Fingerprint: E663 1535 1E9B 2ACF 357F  5C34 F533 D909 7997 4D79

uid                  Benjamin D. Esham <benjamin@esham.io>
sub   4096R/ED4B0EC6 2014-09-19

My previous personal key was revoked due to old age:

1024-bit DSA public key
Creation date: 2000-09-19
Revocation date: 2015-02-12
Fingerprint: C385 21B9 B701 6D1B 67C6  2705 CCE0 B74D D676 BB9A

uid                  Benjamin D. Esham <benjamin@bdesham.info>
uid                  Benjamin D. Esham <bdesham@gmail.com>
uid                  Benjamin D. Esham <esham2@illinois.edu>
uid                  [jpeg image of size 9723]
sub   4096R/A6893A49 2010-08-01 [expires: 2015-08-01]

If you wish to contact me, please use the esham.io email address.

Signature levels

Level 0 (generic certification)
I will issue this type of signature for keys that represent a group or an organization. My signature on such a key indicates only that I am “pretty sure” that there is a correspondence between the key and the group.
Level 1 (persona certification)
I do not use this type of signature.
Level 2 (casual certification)
This kind of signature indicates only that the same person controls the key and the email addresses listed in the signed UIDs. No claim is made regarding the connection between the key and any real-life identity.
Level 3 (positive certification)
I will issue this signature if I have personally met the keyholder in reasonable conditions and verified their identity against a government-issued photo ID. I will accept a passport from any country or a driver license from a U.S. state. It would be ideal if the keyholder could give me a written version of their key fingerprint and a list of the UIDs to be signed.

Signing procedure

I will send the signed key to the keyholder only; the keyholder can distribute these as he or she sees fit. My signature for each UID will be delivered to that UID only, so my signature on e.g. an email address confirms that the key owner has access to that email address. I will sign UIDs containing photos, XMPP addresses, etc. at my discretion. If the UIDs I signed contain contact information, each signature will be sent to the corresponding address, encrypted if possible. If some UIDs do not specify contact information, the signature for these UIDs will be sent to the address on one of the other signed UIDs. If none of the UIDs to be signed give contact information then the keyholder must specify during our meeting where the signatures should be sent.

Version history

May 16, 2018
Changed the definition of level 2 signatures to include non-pseudonymous keys. Removed a bunch of superfluous information about my work keys. Started hosting my public key here on my own site.
March 25, 2016
Changed the URL of this page to reflect the fact that this site is now HTTPS-only. Added information about my Ellucian key and the revocation of my Bristol Instruments key.
February 12, 2015
Added information about my new personal key and the revocation of the old one.
May 27, 2014
Changed the URL of this page to http://esham.io/pgp-key-signing-policy.
August 11, 2013
Added information about my Bristol Instruments key.
June 19, 2011
Changed URL to http://www.bdesham.info/pgp-key-signing-policy. Added contact information and a link to the actual key at the MIT key server.
March 3, 2011
Initial upload.