Key Signing Policy for Andrés J. Díaz http://ajdiaz/gpg/policy.txt Version: 2016-02-11 pub rsa4096/0x5369AA4171B5139C 2016-02-13 [C] [expires: 2018-02-12] Key fingerprint = 90AD F27A 6AA5 5A78 9738 CDB1 5369 AA41 71B5 139C Keygrip = 1E5F5ABC6A38E52B48C89749A6D36AC5A58B92E9 uid [ultimate] Andres J. Diaz (Personal) sub rsa4096/0x5CE181D35CEF8C82 2016-02-13 [S] [expires: 2016-08-11] Keygrip = BF3B86FF6301172ED3F162B4BC74ECC93745DA61 sub rsa4096/0x6F443CF5C297F654 2016-02-13 [E] [expires: 2016-08-11] Keygrip = BBF8C5D70294E6C113D178280E30074D547068E7 This policy is used for signatures made by my GnuPG keys (which ids are listed above), starting from 2016-02-11. (Some signatures before this date were also made under the following conditions. No key was ever signed without checking the identity of the person and the fingerprint.) Before I sign a key, I - verify the identity of the person owning the to-be-signed key by looking at their identity card, equivalent official proof of identity or (in very few cases only) by knowing the person very good for a long time. - receive the key fingerprint from the key owner. This can be on a piece of paper or the fingerprint could get confirmed by the owner during a Key Signing Party or any other event. A signature is always on an user id. By signing an user id, I confirmed for myself, - that the person, who gave me the fingerprint of that key, had the claimed name - at the moment of identity check. I do sign keys of persons from foreign countries as long as there is no indication of fraud (detected by me). Signatures by my GnuPG key(s) do not have any legal relevance. Description of my use of trustlevels: sig3 - I have verified the identity and verified, that the e-mail address of the signed uid belongs/belonged to the person, who has/had control over the key. This is done by a challenge-response system or by sending the signed key to the corresponding user id (both via encrypted mail). sig2 - I have verified the identity - but not the e-mail address (for example because the key does not support encryption to it). sig1 - unused at the moment. Signatures made by caff might not have any special trustlevel. (Trustlevel would be "sig3".) CHANGELOG 2016-02-11 Create new policy and remove some prerequisites for signing, as also remove the location section, act of signing and sig0 level. Old policy: http://ajdiaz.me/gpg/policy.until_2016-02-11.txt