Skip to main content

GPG Policy

Key Signing Policy for Christiaan de Die le Clercq. https://techwolf12.nl/gpg/policy Version 2020/01/01

pub rsa4096 2015-01-29 [C] [expires: 2024-11-21]
34B35DD172E366BF6867AB069FB800372F2546D8
uid [ultimate] Christiaan de Die le Clercq <[email protected]>
sub rsa2048 2015-01-29 [S] [expires: 2024-11-21]
sub rsa2048 2015-01-29 [E] [expires: 2024-11-21]
sub rsa2048 2015-01-29 [A] [expires: 2024-11-21]

This policy is used for signatures made by my GnuPG key 0x2F2546D8 - starting from 2017/01/01. (Most signatures before this date were also made under the following conditions. No key was ever signed without checking the identity of the person and the fingerprint.)

Before I sign a key, I

  • verify the identity of the person owning the to-be-signed key by looking at their identity card, equivalent official proof of identity or in some special cases by knowing the person very good for a long time.
  • receive the key fingerprint from the key owner. This can be on a piece of paper or the fingerprint could get confirmed by the owner during a Key Signing Party.

A signature is always on a user ID. By signing a user ID, I confirmed for myself,

  • that the person, who gave me the fingerprint of that key, had the claimed name - at the moment of identity check.

I do sign keys of persons from foreign countries as long as there is no indication of fraud (detected by me).

Signatures by my GnuPG key(s) do not have any legal relevance.

Description of my use of trust levels:

  • sig3 - I have verified the identity and verified, that the e-mail address of the signed uid belongs/belonged to the person, who has/had control over the key. This is done by a challenge-response system or by sending the signed key to the corresponding user id (both via encrypted mail).

  • sig2 - I have verified the identity - but not the e-mail address (for example because the key does not support encryption to it).

  • sig1 - unused at the moment.

The Certify key is kept on an offline, secure storage.