PGP Key Signing Introduction
Template to suggest key signing to enhance the web of trust and/or address a key tampering attack
I hope you are doing great.
I am [IH’s name], a member of the Access Now Helpline Team. I am contacting you to inform you that I am going to sign your public key. I have a copy of your public key “[Client public key fingerprint]” and will sign it with my own key “[your key fingerprint]” as part of the resolution of case [case number].
This operation consists in adding a cryptographic signature to your public key, and is aimed at building and enhancing trust around the web and towards our partners and users in the civil society.
Having your key signed is a way to avoid PGP key tampering attacks. In this kind of attacks, a malicious actor creates a key that has an ID similar to your key and publishes it online, to impersonate you, to create confusion among your contacts, or even to read emails that have been sent to you but encrypted using the fake key. This can be avoided by having your public key signed, as the fake key will not be trusted and signed by your contacts. Signing a key is a way to prove that the key owner is also the legitimate owner of the connected email account. As a trusted member of civil society, I will gladly sign your public key once you reply with your approval.
Please note that before uploading your public key to a keyserver, it is a good idea to take a moment to consider whether you want the whole world to know that you are using an encryption key, without the ability to remove this information at a later time.
Even if you have no problem with your key being publicly available in the keyservers, please consider that once i’ve signed it and you have updated it in the keyservers, your connection with the Access Now Digital Security Helpline will become public, so please let us know if you feel that this could entail any risks for you.
Kind Regards, [IH’s Name]