diff --git a/project-security/security-pack.md b/project-security/security-pack.md
index 3a1ac10e..4aac5f24 100644
--- a/project-security/security-pack.md
+++ b/project-security/security-pack.md
@@ -50,7 +50,8 @@ software](/security/verifying-signatures/#openpgp-software).
    Checking connectivity... done.
    ```
 
-2. Import the included PGP keys.
+2. Import the included PGP keys. See our [PGP key policies](#pgp-key-policies)
+   for important information about these keys.
 
    ```shell_session
    $ gpg --import qubes-secpack/keys/*/*
@@ -85,11 +86,6 @@ software](/security/verifying-signatures/#openpgp-software).
 3. [Authenticate and set the trust level of the Qubes Master Signing Key
    (QMSK).](/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 
-   **Note:** Only some keys in the qubes-secpack are signed by the QMSK. Keys
-   that are not signed directly by the QMSK are still signed indirectly by
-   virtue of being included in the qubes-secpack, which is itself signed (via
-   Git tags and/or commits) by keys that are in turn signed by the QMSK.
-
 4. Verify signed Git tags.
 
    ```shell_session
@@ -129,16 +125,23 @@ signatures) are provided to ensure that the system is robust (e.g., against a
 potential failure in Git tag-based verification) and to give users more options
 to verify the files.
 
-## PGP key inclusion criteria
+## PGP key policies
 
-The qubes-secpack generally includes only those PGP keys used to sign some kind
-of official project asset, such as Qubes release ISOs (release signing keys),
-Git tags and commits (code signing, doc signing, and security team keys), and
-the qubes-secpack's own files and Git tags (security team keys again). This
-means that email keys are generally not included, even for official project
-email addresses. There is one exception to this rule: the official [Qubes
-security team](/security/#qubes-security-team) email address, which is used to
-report security vulnerabilities in Qubes OS to our security team.
+- **Inclusion criteria.** The qubes-secpack generally includes only those PGP
+  keys used to sign some kind of official project asset, such as Qubes release
+  ISOs (release signing keys), Git tags and commits (code signing, doc signing,
+  and security team keys), and the qubes-secpack's own files and Git tags
+  (security team keys again). This means that email keys are generally not
+  included, even for official project email addresses. There is one exception
+  to this rule: the official [Qubes security
+  team](/security/#qubes-security-team) email address, which is used to report
+  security vulnerabilities in Qubes OS to our security team.
+
+- **Key signing (certification).** Only some keys in the qubes-secpack are
+  signed by the QMSK. Keys that are not signed directly by the QMSK are still
+  signed indirectly by virtue of being included in the qubes-secpack, which is
+  itself signed (via Git tags and/or commits) by keys that are in turn signed
+  by the QMSK.
 
 ## History and rationale
 
diff --git a/project-security/verifying-signatures.md b/project-security/verifying-signatures.md
index 667b67de..09861f9f 100644
--- a/project-security/verifying-signatures.md
+++ b/project-security/verifying-signatures.md
@@ -555,15 +555,12 @@ FAQ](#troubleshooting-faq) below.
 Before we proceed, you must first complete the following prerequisite steps:
 
 1. [Install OpenPGP software.](#openpgp-software)
-2. [Import and authenticate the Qubes Master Signing Key.](#how-to-import-and-authenticate-the-qubes-master-signing-key)
-3. [Import and authenticate keys from the Qubes security pack (qubes-secpack).](/security/pack/)
-
-   **Note:** Only some keys in the qubes-secpack are signed by the QMSK. Keys
-   that are not signed directly by the QMSK are still signed indirectly by
-   virtue of being included in the qubes-secpack, which is itself signed (via
-   Git tags and/or commits) by keys that are in turn signed by the QMSK. If a
-   key is not signed directly by the QMSK, you may need to set its trust level
-   directly.
+2. [Import and authenticate the Qubes Master Signing
+   Key.](#how-to-import-and-authenticate-the-qubes-master-signing-key)
+3. [Import and authenticate keys from the Qubes security pack
+   (qubes-secpack).](/security/pack/) Please see our [PGP key
+   policies](/security/pack/#pgp-key-policies) for important information about
+   these keys.
 
 Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
 you should use Git to verify the PGP signature in a tag on the latest commit or
@@ -586,7 +583,7 @@ all such conditions hold, you're much better off verifying signatures yourself.
 (Also see: [distrusting the
 infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure).)
 
-**To verify a signature on a Git tag:**
+### How to verify a signature on a Git tag
 
 ```shell_session
 $ git tag -v <tag name>
@@ -598,7 +595,7 @@ or
 $ git verify-tag <tag name>
 ```
 
-**To verify a signature on a Git commit:**
+### How to verify a signature on a Git commit
 
 ```shell_session
 $ git log --show-signature <commit ID>