-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Key Signing Policy for Andrés J. Díaz http://ajdiaz/gpg/policy.txt Version: 2021-04-25 pub rsa4096/0x021D2DCF8575C18B 2021-04-25 [C] Key fingerprint = 4D85 1F4E CDCF D81E F6AB 2FC6 021D 2DCF 8575 C18B Keygrip = 3F3F1C49C1621B2E1E39896B4DE00CFB8CF5DF0C uid [ultimate] Andrés J. Díaz (Personal) sub rsa4096/0xD3F173B21A65EFB4 2021-04-25 [S] [expires: 2026-04-24] Keygrip = A81188065506B835775C0ACF73A1BD86CD4A13D2 sub rsa4096/0xB298615256F4ACFE 2021-04-25 [E] [expires: 2026-04-24] Keygrip = 086522BE93D616B4FB8EE93FC3D44AFA500A3663 This policy is used for signatures made by my GnuPG keys (which ids are listed above), starting from 2021-04-25. (Some signatures before this date were also made under the following conditions. No key was ever signed without checking the identity of the person and the fingerprint.) Before I sign a key, I - verify the identity of the person owning the to-be-signed key by looking at their identity card, equivalent official proof of identity or (in very few cases only) by knowing the person very good for a long time. - receive the key fingerprint from the key owner. This can be on a piece of paper or the fingerprint could get confirmed by the owner during a Key Signing Party or any other event. A signature is always on an user id. By signing an user id, I confirmed for myself, - that the person, who gave me the fingerprint of that key, had the claimed name - at the moment of identity check. I do sign keys of persons from foreign countries as long as there is no indication of fraud (detected by me). Signatures by my GnuPG key(s) do not have any legal relevance. Description of my use of trustlevels: sig3 - I have verified the identity and verified, that the e-mail address of the signed uid belongs/belonged to the person, who has/had control over the key. This is done by a challenge-response system or by sending the signed key to the corresponding user id (both via encrypted mail). sig2 - I have verified the identity - but not the e-mail address (for example because the key does not support encryption to it). sig1 - unused at the moment. Signatures made by caff might not have any special trustlevel. (Trustlevel would be "sig3".) OLD KEYS Keys listed in other policies but not in current one must be EXPIRED or REVOKED. Only master keys will keep active. You should not trust in ancient keys for present time. CHANGELOG 2021-04-25 Create new policy for new keys. The old ones will be valid until they expired. Master old key will be valid only to revoke subkeys in case of emergency. 2016-02-11 Create new policy and remove some prerequisites for signing, as also remove the location section, act of signing and sig0 level. Old policy: http://ajdiaz.me/gpg/policy.until_2016-02-11.txt 2016-08-11 Update expired date for subkeys. Old policy: http://ajdiaz.me/gpg/policy.until_2016-08-11.txt 2016-10-10 Update expiration date for master key. Old policy: http://ajdiaz.me/gpg/policy.until_2016-10-10.txt -----BEGIN PGP SIGNATURE----- iQJUBAEBCgA+FiEE/zP342UuWusxJxz30/Fzshpl77QFAmCFRyYgGmh0dHA6Ly9h amRpYXoubWUvZ3BnL3BvbGljeS50eHQACgkQ0/Fzshpl77RZfQ/9HInZe1taK6MW uJM7fRaiQ1YW1UPhta5uBXxYUC5uo8hgiNnSoNHujiUmwGLf5oxJfxqQKBjfh3ih krMhq4Qn5xRXV5/O1+XHO+y+I0Lb4BYSlcS1eiEIBqa7YC4nEtcqCnC+NvkShjWm xeJGnBJKRu3rO3iFijjlvjvEUxg5eBW/LM0WYPPbXcPuhjBi5YrreDYbUnjdp5rx sFITQr1G4wQe3uurrMMLsGfjX5W2gNoN5heHJyckdkkJX8l3LCEFEt1ANJPVEJyu gByWnudU3kL7w2fmEw0apJL+Doce/V6rakiy6qqAEnPz+yfaB7VtdQLj4xsyagwN 5VLbNLcLorO1LDcdNOj/s+rOHiD+g+4eGn0gNaXPDF/y6IHM9aPxtgIilABvrPlb 1n+TdrODA0ySL1ad7VGpa+tI18opPYvd7OzyvI9kBo0BVXQCPxcydlv4qxjU+J7W 6hkGIM/C7yOlF0ewJV/Y9sKKOrXfPHbJkQCCTIL88PcYv8/h1/qYjHKoNWhjHB+x OYh7V4K6E5TBsM7yF1C11sOCRjj4iZFlTnezeVZFgVc19nKKGW8FzK9i/LBXFd7T AsRBfdIkcvYAkjzliwgs3Em6S7nxpVLCy760xAyGT7wn7n83qGAjQ2CcwnL75VvJ kBUIZbZ2H/3EpXVtbiPYooyF9ewT+Jw= =G23L -----END PGP SIGNATURE-----