Key Signing Policy for Christiaan de Die le Clercq.
pub rsa4096 2015-01-29 [C] [expires: 2024-11-21] 34B35DD172E366BF6867AB069FB800372F2546D8 uid [ultimate] Christiaan de Die le Clercq <firstname.lastname@example.org> sub rsa2048 2015-01-29 [S] [expires: 2024-11-21] sub rsa2048 2015-01-29 [E] [expires: 2024-11-21] sub rsa2048 2015-01-29 [A] [expires: 2024-11-21]
This policy is used for signatures made by my GnuPG key 0x2F2546D8 - starting from 2017/01/01.
(Most signatures before this date were also made under the following conditions. No key was ever signed
without checking the identity of the person and the fingerprint.)
Before I sign a key, I
- verify the identity of the person owning the to-be-signed key by
looking at their identity card, equivalent official proof of identity
or in some special cases by knowing the person very good for a long time.
- receive the key fingerprint from the key owner. This can be on a
piece of paper or the fingerprint could get confirmed by the
owner during a Key Signing Party.
A signature is always on a user ID. By signing a user ID, I confirmed
- that the person, who gave me the fingerprint of that key, had the
claimed name - at the moment of identity check.
I do sign keys of persons from foreign countries as long as there is no
indication of fraud (detected by me).
Signatures by my GnuPG key(s) do not have any legal relevance.
Description of my use of trust levels:
sig3 - I have verified the identity and verified, that the e-mail address
of the signed uid belongs/belonged to the person, who has/had
control over the key. This is done by a challenge-response system
or by sending the signed key to the corresponding user id
(both via encrypted mail).
sig2 - I have verified the identity - but not the e-mail address (for
example because the key does not support encryption to it).
sig1 - unused at the moment.
The Certify key is kept on an offline, secure storage.