Confidence in the authenticity of a public key is enhanced by the key being signed by a trustworthy certifier. Additional reassurance comes from having signatures from several keys, so that if one should be compromised, the remaining signatures still vouch for the authenticity of the key.
It is recommended that each institution create two or more PGP key pairs to be used only for the purpose of signing the public keys belonging to members of the institution, thereby vouching for those keys' identity. We deliberately leave unspecified the term ``institution''; we expand on the meaning of ``member'' below. Depending on circumstances, an institution might be an Oxbridge college, a university department, an entire university, or UKERNA as a whole. The vital requirement is that signatures made by a certification key on other keys be beyond reproach.
In practice, this means that the following criteria must be met:
It is recommended, though not obligatory, that the only keys to be signed with a certification key be those belonging to members of the institution; those used by services provided by the institution; and the certification keys of sub-institutions. So, for instance, the Department of Experimental Theology at Neasden University would certify keys belonging to their staff and also the key used by Postmaster@expth.neasden.ac.uk; the departmental certification keys would themselves be signed by the university's certification keys. The university would be willing to sign the key of any member of the university as well as its departmental certification keys; its keys would themselves be signed by the master UKERNA keys, which would themselves be signed by other similar organizations. Some departments may be so small that they would not have certification keys; their members would rely on the university's certificates.
If a trustworthy certification heirarchy can be set up in this manner, we would expect PGP users to trust their department, university and UKERNA to act as introducers and, thereafter, keys signed by any of these would be accepted as genuine without the user being questioned by PGP. To verify the authenticity of a key supposedly belonging to a member of a different institution, the user would need at least one of the public keys of its certifiers, at least one of the certifiers of that key, and so on until a key is reached which has been signed by an authority present in the chain of certifiers of the user's own key. In an ideal world, these intermediate keys would be fetched automatically and invisibly by the MUA as required.
As signatures cannot be revoked (at least under PGP 2. x), it would be useful to include an expiry date in the certifying key's userID. Some time before expiry of the key, all users have to ask to have their keys re-signed with new keys before the old ones are revoked. Version 3.0 of PGP is expected to implement signature revocations, and it may be that this will be sufficient.