-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PGP and OpenPGP Key Signing Policy of Thomas Bader v1.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CONTENTS 1. Preliminaries 2. Prerequisites for signing 3. The act of signing 4. Key generation notes 1. Preliminaries - ---------------- This policy is valid for all signatures made by the PGP and OpenPGP keys: pub 1024D/7584F5D8 2000-02-26 Thomas Bader Key fingerprint = 63F0 501D 81D8 F47B A707 C02E 7905 768F 7584 F5D8 uid Thomas Bader uid Thomas Bader sub 2048g/05A32EF5 2000-02-26 [expires: 2003-06-14] sub 2048g/FEB8FD82 2003-06-09 [expires: 2004-06-14] pub 2048R/3A4B7F5D 2000-02-26 Thomas Bader Key fingerprint = FF 83 89 80 DD FD B2 75 3D 7D 8A 64 02 2F A5 DF uid Thomas Bader uid Thomas Bader pub 1024D/5AB4606A 2002-04-16 Thomas Bader CERTIFICATION ONLY, Key A Key fingerprint = 2AA4 5002 C4A4 A8FC 031D E9B3 A479 CDC4 5AB4 606A sub 4096g/D5911E3D 2002-04-16 [expires: 2003-04-16] sub 4096g/96B782FD 2003-04-17 [expires: 2004-04-16] Although this policy was formally written on 2003-06-10, it was followed from the creation of those keys. I understand the need for a public web of trust and the risks involved in indiscriminately signing keys. I have therefore never signed a key without verifying the identity of the key's owner to my own satisfaction and without matching the key to the owner. This policy may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one. This is version 1, written 2003-06-29. 2. Prerequisites for signing - ---------------------------- The signee (i.e. the key holder who wishes to obtain a signature from me, the signer) must make his/her OpenPGP public key available on a publicly accessible keyserver, such as the .pgp.net servers. The signee must prove his/her identity to me by way of a national ID card, a driver's licence, or a similar token. The token must feature a photographic picture of the signee. The signee should have prepared a strip of paper with a printout of the output gpg --fingerprint 0xDEADBEEF (or an equivalent command if you're not using GnuPG), where 0xDEADBEEF is the key ID of the key that is to be signed. A hand-written sheet featuring all user ID's the signee wants me to sign and the fingerprint will also be accepted. The above must take place under reasonable circumstances. The signee should be willing to cross-sign with me. 3. The act of signing - --------------------- After having received (or exchanged) the proof detailed in the above, I will sign the sheet of paper myself to avoid a fraud. If I haven't seen the uid/email-addresses in use I will check that by doing a email challenge/response. All my signatures are given a level of 3. The other levels (0, 1 or 2) don't have a meaning for me and therefore I won't use them. The signed keyblock is uploaded to a randomly chosen set of keyservers. The signee may hint on what key server or choose to receive it through mail instead. 4. Key generation notes - ----------------------- The keys 0x7584F5D8 and 0x3A4B7F5D (fingerprints see above) are used for signing other keys, signing messages/files and receiving encrypted messages/files. Its is my key for every day usage and therefore it is stored on a machine connected to a network (altough that machine isn't directly reachable from the internet). The key 0x5AB4606A (fingerprint see above) is used for signing other keys. It is stored off site on a non-networked machine which hopefully means that it is less likely to be compromised. If you see a key signed by this key you can be relatively sure I have signed, and hence trust, it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+/zDopHnNxFq0YGoRAlVqAJwMVdazDhdncEI+GYR/GgUn79j4ggCdFs2I YVkQjzVZdmbGcgSWtijPGjs= =G8lr -----END PGP SIGNATURE-----