There are different classes of certifications. Quoting RFC 4880, OpenPGP, 5.2.1. Signature TypesRFC 4880, OpenPGP, 5.2.1. Signature Types:
replaced https://tools.ietf.org/html/rfc with https://www.rfc-editor.org/rfc/rfc
replaced http://security.stackexchange.com/ with https://security.stackexchange.com/
Because of this, some people post certification policies. I provided some discussion in What are you saying when you sign a PGP key?What are you saying when you sign a PGP key?
Because of this, some people post certification policies. I provided some discussion in What are you saying when you sign a PGP key?
Because of this, some people post certification policies. I provided some discussion in What are you saying when you sign a PGP key?
Certification Levels
There are different classes of certifications. Quoting RFC 4880, OpenPGP, 5.2.1. Signature Types:
[...] 0x10: Generic certification of a User ID and Public-Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID. 0x11: Persona certification of a User ID and Public-Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. 0x12: Casual certification of a User ID and Public-Key packet. The issuer of this certification has done some casual verification of the claim of identity. 0x13: Positive certification of a User ID and Public-Key packet. The issuer of this certification has done substantial verification of the claim of identity. Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types. [...] GnuPG displays the "normal" 0x10 signatures as sig and the advanced signatures distinguishing between different kinds of certification levels with a number following: 0x11 as sig 1, 0x12 as sig 2 and 0x13 as sig 3. rev indicates revoked signatures.
The output of --list-sigs is also explained by the GnuPG manual pages (man gpg):
--list-sigs Same as --list-keys, but the signatures are listed too. This command has the same effect as using --list-keys with --with-sig-list. For each signature listed, there are several flags in between the "sig" tag and keyid. These flags give additional information about each signature. From left to right, they are the numbers 1-3 for certificate check level (see --ask-cert-level), "L" for a local or non-exportable signature (see --lsign- key), "R" for a nonRevocable signature (see the --edit-key command "nrsign"), "P" for a signature that contains a policy URL (see --cert-policy-url), "N" for a signature that contains a notation (see --cert-notation), "X" for an eXpired signature (see --ask-cert-expire), and the numbers 1-9 or "T" for 10 and above to indicate trust signature levels (see the --edit-key command "tsign"). Vagueness
Also note the first paragraph of the specification's section, which indicates there is no general, rigid definition of the certification levels:
There are a number of possible meanings for a signature, which are indicated in a signature type octet in any given signature. Please note that the vagueness of these meanings is not a flaw, but a feature of the system. Because OpenPGP places final authority for validity upon the receiver of a signature, it may be that one signer's casual act might be more rigorous than some other authority's positive act. [...]
Because of this, some people post certification policies. I provided some discussion in What are you saying when you sign a PGP key?