1. Trust Signatures might not be worth much. In my specific case, they might be worth even less: I might check personal ID documents before signing a key, but I usually don't. Sometimes, I just sign keys without asking, or without any indication of the real, physical identity of the owner. I think tieing keys to e.g. government-issued identities is silly most of the time (what does a government-issued identity document prove? worse, what relation does an ID document prove about the ownership of a specific e-mail address? Only few people do a challenge/response on the e-mail address, and even fewer do it correctly). All this is being reflected by my key signing policy. 2. Signing I do try to get the signature type correct (casual examination usually means I got the key fingerprint via two independent channels, e.g. phone and e-mail, substantial verification usually means that I know the person personally and know it's her/his key). You cannot rely on that, though (you couldn't rely on my claims anyway, but I admit it openly). 3. Key Safety I store my key, which is used for signing and everyday communications, on both my laptop and my desktop machine. My laptop is with me almost all the time, even to big events with many gifted and possibly malicious people. If the above teaches you something, that's good. If you already knew, it's even better. Marc Lehmann old: 475A FE9B D1D4 039E 01AC C217 A1E8 0270 DA74 3396 new: 904A D2F8 1FB1 6978 E753 6F72 6DEA 2BA3 0BC3 9EB6 PS: Please note that this document isn't signed. It wouldn't mean much if it were signed, either. It might get signed later, for purely technical reasons.