GPG Policy

Key Signing Policy for Christiaan de Die le Clercq.
Version 2020/01/01

pub   rsa4096 2015-01-29 [C] [expires: 2024-11-21]
uid           [ultimate] Christiaan de Die le Clercq <>
sub   rsa2048 2015-01-29 [S] [expires: 2024-11-21]
sub   rsa2048 2015-01-29 [E] [expires: 2024-11-21]
sub   rsa2048 2015-01-29 [A] [expires: 2024-11-21]

This policy is used for signatures made by my GnuPG key 0x2F2546D8 - starting from 2017/01/01.
(Most signatures before this date were also made under the following conditions. No key was ever signed
without checking the identity of the person and the fingerprint.)

Before I sign a key, I

  - verify the identity of the person owning the to-be-signed key by
    looking at their identity card, equivalent official proof of identity
    or in some special cases by knowing the person very good for a long time.
  - receive the key fingerprint from the key owner. This can be on a
    piece of paper or the fingerprint could get confirmed by the
    owner during a Key Signing Party.

A signature is always on a user ID. By signing a user ID, I confirmed
for myself,

  - that the person, who gave me the fingerprint of that key, had the
    claimed name - at the moment of identity check.

I do sign keys of persons from foreign countries as long as there is no
indication of fraud (detected by me).

Signatures by my GnuPG key(s) do not have any legal relevance.

Description of my use of trust levels:

  sig3 - I have verified the identity and verified, that the e-mail address
         of the signed uid belongs/belonged to the person, who has/had
  control over the key. This is done by a challenge-response system
  or by sending the signed key to the corresponding user id
  (both via encrypted mail).

  sig2 - I have verified the identity - but not the e-mail address (for
         example because the key does not support encryption to it).

  sig1 - unused at the moment.

The Certify key is kept on an offline, secure storage.