-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PGP and OpenPGP Key Signing Policy of Pascal Mainini v1.0 as of 2004-01-04 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CONTENTS 1. Preliminaries 2. Prerequisites for signing 3. The act of signing 4. Key generation notes 1. Preliminaries - - ---------------- This policy is valid for all signatures made by the PGP and OpenPGP keys: pub 1024D/E284ED60 2003-11-23 Pascal Mainini Key fingerprint = 5A8A 7BDD 862D 0D0C 3693 2E1E C70E EE84 E284 ED60 uid Pascal Mainini uid Pascal Mainini uid Pascal Mainini sub 2048g/A3701F12 2003-11-23 [expires: 2004-11-22] pub 1024D/4529BF70 2003-11-26 Pascal Mainini (CERTIFICATION ONLY, KEY A) Key fingerprint = 63A3 F660 76ED 9314 9951 B1DE D4D3 1196 4529 BF70 Although this policy was formally written on 2004-01-04, it was followed from the creation of those keys. I understand the need for a public web of trust and the risks involved in indiscriminately signing keys. I have therefore never signed a key without verifying the identity of the key's owner to my own satisfaction and without matching the key to the owner. This policy may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one. This is version 1.0, written 2004-01-04. 2. Prerequisites for signing - - ---------------------------- The signee (i.e. the key holder who wishes to obtain a signature from me, the signer) must make his/her OpenPGP public key available on a publicly accessible keyserver, such as the .pgp.net servers. The signee must prove his/her identity to me by way of a national ID card, a driver's licence, or a similar token. The token must feature a photographic picture of the signee. The signee should have prepared a strip of paper with a printout of the output gpg --fingerprint 0xDEADBEEF (or an equivalent command if you're not using GnuPG), where 0xDEADBEEF is the key ID of the key that is to be signed. A hand-written sheet featuring all user ID's the signee wants me to sign and the fingerprint will also be accepted. The above must take place under reasonable circumstances. The signee should be willing to cross-sign with me. 3. The act of signing - - --------------------- After having received (or exchanged) the proof detailed in the above, I will sign the sheet of paper myself to avoid a fraud. If I haven't seen the uid/email-addresses in use I will check that by doing a email challenge/response. All my signatures are given a level of 3. The other levels (0, 1 or 2) don't have a meaning for me and therefore I won't use them. The signed keyblock is uploaded to a randomly chosen set of keyservers. The signee may hint on what key server or choose to receive it through mail instead. 4. Key generation notes - - ----------------------- The key 0xE284ED60 (fingerprints see above) is used for signing other keys, signing messages/files and receiving encrypted messages/files. Its is my key for every day usage and therefore it is stored on a machine connected to a network (altough that machine isn't directly reachable from the internet). The key 0x4529BF70 (fingerprint see above) is used for signing other keys. It is stored off site on a non-networked machine which hopefully means that it is less likely to be compromised. If you see a key signed by this key you can be relatively sure I have signed, and hence trust, it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/+IxX1NMRlkUpv3ARAiXsAJ439xduBYfbIFGPCvwxUpv1m/Y6OQCglqp9 /imJCOI98Lqt8XIXokp7ASg= =5qwg -----END PGP SIGNATURE-----