I PGP sign each and every piece of mail I send, with the following exceptions:
I use a variety of keys. I have my DSA Key Signing Key which I use to sign all my PGP keys. This is the only key you need verify with me, as it is used to sign all other keys.
(I used to use an older pgp2 Key Signing Key, and will continue to sign all my keys with it, but it is deprecated. )
I generate new PGP keys for general use each year. After the creation of these new keys I stop using the old ones and update the old keys to reflect it's retired status. After using the new key I will never use the old key -- if you recieve something signed by it, same rules as an invalid signature apply.
I welcome encrypted mail. You should always use the key for that given year.
I strongly recommend that you verify my Key-Signing-Key fingerprint with me. If you are lazy, it is below. Note that if you don't verify fingerprints with me there is no chance you'll be given any trust level in my pgp.
I do not copy my keys onto untrusted machines. Thus I create a PGP key at each client for which I do work. These keys are to be used only for the email addresses listed. (e.g. the key for 'email@example.com' should only be used for communication with me at that address)
New DSA Key-Signing-Key fingerprint:
pub 1024D/5217530F 2003-01-01 Brian Hatch (Key-Signing-Key)
Old RSA/IDEA Key-Signing-Key fingerprint:
pub 2047/8BFD8871 1999/04/09 Brian Hatch Key-Signing-Key Key fingerprint = AF D5 20 46 B4 FC 72 82 0D E6 1F 85 AA 93 34 92
Getting my keysYou've got several options: