This document represents the signing policy for my OpenPGP keys: pub 1024D/FCC5040F 2004-04-26 uid Stephan Beyer uid [jpeg image of size 2193] uid Stephan Beyer uid Stephan Beyer sub 4096R/CC326BA2 2009-09-29 [expires: 2013-09-28] sub 4096R/D9E5BC2B 2009-09-29 [expires: 2013-09-28] sub 4096R/5286A5CC 2013-09-19 [expires: 2016-03-07] sub 4096R/0D8FE048 2013-09-19 [expires: 2016-03-07] pub 8192R/CC0A7C3B 2013-09-19 uid Stephan Beyer uid Stephan Beyer sub 8192R/ADE50936 2013-09-19 See also http://pkqs.net/~sbeyer/openpgp/ for more information on the keys. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This policy applies to all OpenPGP keys - which have been signed by me since July 01 2005, and - wherein my signatures have not been revoked. This policy is NOT valid for signatures which have been made before July 01 2005, but most of those signatures underlie related rules. This policy may change. See the ChangeLog data at the end of the document. OpenPGP allows to set different trust levels on signatures, they're abbreviated by sig0 ("I don't care"), sig1 ("Didn't check at all"), sig2 ("Did casual verification") and sig3 ("Did extensive verification"). This document describes how I handle them: sig3: I use trust level 3 to sign keys of persons which fulfil the following conditions: * I met them personally (in real). * I checked[1] the fingerprint. * I checked their identity card, passport or driver's license. Those must contain a photo of the owner and must not be expired. I sign user IDs not having an e-mail address, if the first and last name is correct according to passport. Of course, I tolerate ASCII transcriptions of those names and real life, passport-like nicknames. I sign each user ID having an e-mail address, but, of course, only valid e-mail addresses will pass the "send check". The "send check" is simple: * For sign-only keys a mail is sent to the e-mail address with a "checkword" in it. The key owner sends a signed reply containing the checkword. If the sent and received checkwords are equal and the signature is valid, the check is passed and the user ID gets it signature via e-mail or keyserver. * For other keys an encrypted mail is sent to the e-mail address. This e-mail contains the user ID signature. If the key owner is able to decrypt the mail / user ID, the check is passed. I sign photo user attributes with trust level 3 if I know that the person I met looks like the person on the photo. sig2: I do not use trust level 2 to sign user ids. (undefined) A photo user attribute gets trust level 2, if I am not sure, if the person on the photo really looks like the person that I met. sig1: I use trust level 1 to sign companies, organizations and CAs that I trust. sig1 signatures should be considered as `not checked' in passport, photo id, e-mail or anything. sig0: Trust level 0 is left undefined and is hence not used. Note: As a human being I could make mistakes. I try to avoid them. Sometimes people decide to make a new toplevel key or totally replace their user ids. In each case, they have to rebuild their web-of-trust. And in each case, I do not sign the new user-ids (neither in the old nor in a new toplevel key) until the mentioned conditions are fulfilled again. I am open for suggestions and feedback on this policy. Stephan Beyer Footnotes 1. The fingerprint they brought with them should equal the fingerprint of the key I want to sign. ChangeLog: 20050702 initial upload 20060902 minor changes 20070306 added sig3 nickname handling, removed last sig2 sentence (too confusing) 20130919 minor changes, added that I do not sign key transitions without checking -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (GNU/Linux) iQIcBAEBCgAGBQJSOymzAAoJEMAMNVYNj+BIGR4QAOU94efFxmhCVTGBYGAVKDu/ pVTfeN3CR7RLPJ+N2w2VD5gaIxlANAavPJlUgJ68hxNZO2zC2HGWcqMvZFrLhHF2 sARnnwAnI18XcU+S3/ntUE7efUlZzt7Cf7272hktCNcyfhLg3hj9NHU7ISZ4DVLq 0dKmh04SAYvcGGr6zwiOG2+8tJpHKkwh80TDflBmnZHHqNRObxh58Mdet6a2EVV/ P5UWMTttDzEBvA7Oj5MY+iaPfPxW0WlzWU67bX6npcQmj6wv8/H7NAoUReAi5gy4 dggvXiMU40IKzyySDMKsxcuf+ahvU49QXPpGr8vYAJMuW5CJXi+SsF+WQkxLKgV1 3XEyOJlOUOvv+XLwo7uNzWz8jEiNNh/YgaJXvotY3qR7NDX2100cWmXcGtUA1xS+ 68H4zL1mV7BvU+Cx8qjtiX+J748ZdcLd7j80UXAfO3mcbASzNNl9Ps4EoSnw4jdU lfSLNP944qBmX+nhvWBSoxmoDFqO3TDSwbhJwSS+tXE9QMjWFDARm4xlkHygZ3XU 2KWRu4YGLxVsqk2JgrlA7u7WRgX1pf5rqKkZoKjNXuxjbYJxpv9CFFAZ0DMme7vf A9wy955g843qH6Tdqi8TDothkCKxqNPqdXj0hp+r/PZ3sHw2swTyMRYo4oiMllZf MDdytcF2Zrmyz8rsqNzH =LE6k -----END PGP SIGNATURE-----