-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1,SHA512 Keysigning policy of Pascal Mainini v2.0 as of 2013-04-28 ========================================================= CONTENTS (I) Preliminaries (II) Prerequisites for signing (III) The act of signing (IV) Key generation and usage notes (I) Preliminaries - ----------------- This policy is valid for all signatures made by the following OpenPGP keys (encryption subkeys excluded from listing): * A9A71917D900A399 Personal key for everyday usage (called {PERSONAL} in the following) pub 4096R/A9A71917D900A399 2013-04-29 Key fingerprint = 8EB1 D9F9 A97B 3D55 B93A 8877 A9A7 1917 D900 A399 uid [ultimate] Pascal Mainini uid [ultimate] Pascal Mainini sub 4096R/9D90A1AA43B0FFB5 2013-04-29 * D4D311964529BF70 Certification only key for the web of trust (called {CAKEY} in the following): pub 1024D/D4D311964529BF70 2003-11-26 Key fingerprint = 63A3 F660 76ED 9314 9951 B1DE D4D3 1196 4529 BF70 uid [ultimate] Pascal Mainini (CERTIFICATION ONLY, KEY A) This policy was formally written on 2013-04-28 and it was followed since writing for both of the given keys above. For {CAKEY}, the older policies 1.0 and 1.1 where already followed. They can be found at http://impressionet.ch/crypto . I understand the need for a public web of trust and the risks involved in indiscriminately signing keys. I have therefore never signed a key without verifying the identity of the key's owner to my own satisfaction and without matching the key to the owner. This policy may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one. All versions of the policy can also be found at: http://impressionet.ch/crypto (II) Prerequisites for signing - ------------------------------ The signee (i.e. the key holder who wishes to obtain a signature from me, the signer) must provide the key in advance of the signature process. He can either make his/her OpenPGP public key available on a publicly accessible keyserver, such as the .pgp.net servers or send it to me by email. The signee must in person prove his/her identity to me by way of a national ID card, a driver's licence, or a similar token. The token must feature a photographic picture of the signee and must be valid at the time of meeting. The signee should have prepared a strip of paper with a printout of the output gpg --fingerprint 0xDEADBEEF (or an equivalent command if he/she is not using GnuPG), where 0xDEADBEEF is the key ID of every key that is to be signed. A hand-written sheet featuring the IDs of all keys including their finger- print as well as all uid's the signee wants me to sign will also be accepted. All of the above must take place under reasonable circumstances. The signee should be willing to cross-sign {CAKEY} uppon AND ONLY on my request. {PERSONAL} can be signed by the signee locally if he wishes to do so for personal usage, I will not ask for signatures of this key. IMPORTANT: SIGNATURES TO BOTH, {CAKEY} AND {PERSONAL} SHALL NEVER BE PUBLISHED BY ANY MEANS BY ANYONE ELSE THAN THE KEYHOLDER PERSONALLY (ME)! SIGNATURES OF BOTH KEYS SHALL BE SENT BY ENCRYPTED MAIL TO ME. (III) The act of signing - ------------------------ After having received (or exchanged) the proof detailed before, I will sign the sheet of paper myself to avoid a fraud. If I haven't seen the uid/email-addresses in use I will check them by doing an email challenge/response. Uppon successful validation of some or all uids, I will sign those (called {SIGNEE} below) according to the following process: For the signature using {CAKEY}: 1. Import {SIGNEE} on the keysigning-machine 2. Sign {SIGNEE} using {CAKEY} 4. Export {SIGNEE} 5. Delete created signatures on {SIGNEE} 6. Locally sign ("lsign") {SIGNEE} for personal reference For my personal usage with {PERSONAL}: 1. Import {SIGNEE} to my personal keyring 2. Locally sign ("lsign") {SIGNEE} for personal reference After this process has completed, I will send the signed keys/uids back to signee in an encrypted email and finally delete them from my systems. IMPORTANT: I WILL NEVER PUBLISH ANY SIGNATURES DONE ON FOREIGN KEYS BY MYSELF! Signature levels: For local and normal signatures done using {CAKEY}, only level 3 is used, any of the other levels (0, 1 or 2) have no meaning to me and therefore I won't use them. There are rare cases in which I forgot to set the level. These signatures have always been performed with the same extensive verification and therefore have the same certification-level. Local signatures used for personal purposes using {PERSONAL} have either signature level 3 or 0. Level 3 is used if a key is signed by {CAKEY} and according to this policy. Level 0 is used if a key is verified differently to a level which is good enough for my personal usage. Possible examples of this may include keys which have been signed by older personal keys or keys I have already seen in transit or used with someone to a level sufficient for me to be certain of that person's identity. (IV) Key generation and usage notes - ----------------------------------- The key {PERSONAL} (A9A71917D900A399, fingerprints see above) is used for signing messages/files and receiving encrypted messages/files. It is my key for every day usage and therefore it is stored on one or more machine(s) possibly connected to a network, kept up to date and secured according to best current practises. The key {CAKEY} (D4D311964529BF70, fingerprint see above) is used for signing other keys. It is stored off site on a non-networked machine which hopefully means that it is less likely to be compromised. If you see a key signed by this key you can be relatively sure I have signed, and hence trust, it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlGC2QgACgkQ1NMRlkUpv3CcaQCgpO2FW5USQlxlbWCMqEzht4CH mxEAoOerT1igFYan7KLI7n2IUymCRpmyiQIcBAEBCgAGBQJRgtkIAAoJEKmnGRfZ AKOZvuAP/23FM3tE8whEJiuxcQFWoSY43fO9XcVvjesyZELV3KG6etI1WpQbYEYl l/Q1QYsZNvotVS3dQOH201/ktCeYWyBn6h2Nk6Dvpq07Qcwtv6iq9Ftmhu0viw5T c3grCCzBk3UT45/V3Rs+hzCocdyLvVVECu8KSXR8qhOy3uKgwKZCFYY4XK+Fhm7C +ZGwNj4Dcznuy/6Rx2biDXe55Md98VJ3mhA54HXlP7y1YjPsTDayMjmCE/CAjey9 hqXfcEu9I86l/RMCEA+EOfPLdyf6zw47BI9gI73uNPFm8mRawtitzZak1D2n8Nth UZjbE3jnzqXw4oQq9RuCsECljvxUywj3k+8sRDO/VdoS05CYXFxb6xZI6VdCV8pi q001jjgfQuadNvgtBirG225rWmGkESFT1mi/X2v5zcdO4KNHe2eNlHA1LJie8UeH MLAsohdWNWdQNwBBEpeiha9gAP2kxsxwGko+hDSsAqYuFbOqf47lwSg545uB8GAo VmuNbQjvGuVDrP/KJlwiZ7tqe2tFS4My7+NTF3sBeCQaZTlYaMI+t/ilr2+UHuMK Zrq6U1HVMFvZtwssFLeLjGkqKUqZho3j0fJRhnXM2Pwc3zy3w+rhTbpkTo7yiXyo GdfBxy4Tw7gN9SrxA2upPg/xfEjSPj05krJmOFkdMUY204gP2ZXV =vK5o -----END PGP SIGNATURE-----