{"id":107,"date":"2015-04-13T15:01:15","date_gmt":"2015-04-13T15:01:15","guid":{"rendered":"https:\/\/stikonas.eu\/wordpress\/?page_id=107"},"modified":"2015-04-23T17:36:18","modified_gmt":"2015-04-23T17:36:18","slug":"key-signing-policy","status":"publish","type":"page","link":"https:\/\/stikonas.eu\/wordpress\/key-signing-policy\/","title":{"rendered":"Key signing policy"},"content":{"rendered":"<div class=\"container\">\n<div class=\"jumbotron\">\n<h2>PGP\/GPG Key Signing Policy 2013-12-18<\/h2>\n<h2>Introduction<\/h2>\n<p>This policy is valid from 2013-12-18 for all signatures made by the following <a title=\"Wikipedia: OpenPGP\" href=\"http:\/\/en.wikipedia.org\/wiki\/OpenPGP\">PGP<\/a>\/<a title=\"GNU Privacy Guard\" href=\"http:\/\/www.gnupg.org\/\">GPG<\/a> key:<\/p>\n<pre><code>pub   4096R\/0095C0E1 2010-05-06\r\n      Key fingerprint = 1EE5 A320 5904 BAA2 B88C  0A9D 24FD 3194 0095 C0E1\r\nuid                  Andrius \u0160tikonas &lt;andrius@stikonas.eu&gt;\r\nuid                  Andrius \u0160tikonas &lt;stikonas@gmail.com&gt;\r\nuid                  [jpeg image of size 3324]\r\nuid                  Andrius \u0160tikonas &lt;A.Stikonas@ed.ac.uk&gt;\r\nsub   4096R\/8EBE684E 2013-11-09\r\n<\/code><\/pre>\n<p>You can download a copy of this key <a title=\"Public key\" href=\"https:\/\/stikonas.eu\/andrius.asc\">here<\/a>, or from <a title=\"look for this key on the MIT keyserver\" href=\"http:\/\/wwwkeys.pgp.net:11371\/pks\/lookup?search=0x0095C0E1&amp;op=vindex&amp;fingerprint=on\">one of the key servers<\/a>.<\/p>\n<p>This policy may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one. The current policy can always be found at <a href=\"https:\/\/stikonas.eu\/gpg\/gpg-policy.html\">https:\/\/stikonas.eu\/gpg\/gpg-policy.html<\/a>.<\/p>\n<h2>Prerequisites for Signing<\/h2>\n<h3>Identity Verification<\/h3>\n<p>The key owner who wishes to obtain a signature to their key from me must prove their identity to me by way of a national ID card, a driver&#8217;s licence, or a similar token. The token must feature a photographic picture of the key owner. This also implies that the key must feature the key owner&#8217;s real name.<\/p>\n<p>For people from outside the European Union, only a combination of at least two of the above tokens will be accepted. Exceptions will be made when the key owner can come up with other means of proof of identity. But at least one of the above tokens will stay the minimum requirement.<\/p>\n<h3>Hardcopy of Fingerprint<\/h3>\n<p>The key owner should have prepared a printout of the output of <code>gpg --fingerprint<\/code> for the key (or the equivalent command from another OpenPGP client).<\/p>\n<p>A hand-written sheet featuring the key ID, the fingerprint and all user IDs the key owner wishes to obtain a signature to will also be accepted.<\/p>\n<p>If the key owner wishes to obtain a signature to a photographic user ID, the printout should contain the image of that photographic user ID. A printout or photocopy of a photo clearly showing the same person as in the photographic user ID will also be accepted.<\/p>\n<p>You can download a copy of my own fingerprint printout page <a href=\"https:\/\/stikonas.eu\/gpg\/fingerprint.pdf\">here<\/a> as an example.<\/p>\n<h3>Miscellaneous<\/h3>\n<p>The above must take place under reasonable circumstances, i.e. at a calm place, both parties not being in a hurry, etc.<\/p>\n<p>The key owner should make their public key available on a publicly accessible <code>pgp.net<\/code> keyserver, such as <code>subkeys.pgp.net<\/code>.<\/p>\n<p>The key owner should be willing to cross-sign with me.<\/p>\n<h2>The Act of Signing<\/h2>\n<h3>Fingerprint Verification<\/h3>\n<p>At home I will verify the key&#8217;s fingerprint using the hardcopy of the fingerprint that has been given to me.<\/p>\n<h3>Email Verification<\/h3>\n<p>After successful fingerprint verification, I will sign all user IDs which I was asked to sign. Each signature is then individually sent to the email address listed in the corresponding user ID, encrypted to the associated key.<\/p>\n<p>As only the key owner can decrypt and thus publish the signatures, this procedure ensures that the email addresses listed in each user ID with a published signature belongs to the key owner.<\/p>\n<h2>Signature Certification Levels<\/h2>\n<h3>Level 3<\/h3>\n<p>Certification level 3 is used for user IDs that passed identity, fingerprint and email verification and photographic user IDs that passed identity and fingerprint verification as described above.<\/p>\n<h3>Level 2<\/h3>\n<p>Certification level 2 is used for user IDs that passed identity and fingerprint verification as described above.<\/p>\n<p>Certification level 2 is also used for user IDs of keys belonging organizations such as Certification Authorities that passed fingerprint verification by providing the fingerprint in an official publication in printed form.<\/p>\n<h3>Level 1<\/h3>\n<p>Certification level 1 is never used, keys are never signed without appropriate verification.<\/p>\n<h2>Acknowledgements<\/h2>\n<p>This policy is heavily based on <a title=\"Elmar Hoffman\\&lt;br \/&gt;\n's OpenPGP Key Signing Policy\" href=\"http:\/\/www.elho.net\/crypto\/policy\/\">Elmar Hoffman&#8217;s<\/a> and <a href=\"http:\/\/iay.org.uk\/identity\/pgp\/policy\/2013-11-07\">Ian A. Young&#8217;s<\/a> key signing policies.<\/p>\n<p>I use the <code>caff<\/code> script from the <code>signing-party<\/code> package to operate the procedure described above.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>PGP\/GPG Key Signing Policy 2013-12-18 Introduction This policy is valid from 2013-12-18 for all signatures made by the following PGP\/GPG key: pub 4096R\/0095C0E1 2010-05-06 Key fingerprint = 1EE5 A320 5904 BAA2 B88C 0A9D 24FD 3194 0095 C0E1 uid Andrius \u0160tikonas &lt;andrius@stikonas.eu&gt; uid Andrius \u0160tikonas &lt;stikonas@gmail.com&gt; uid [jpeg image of size 3324] uid Andrius \u0160tikonas &lt;A.Stikonas@ed.ac.uk&gt; &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"class_list":["post-107","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/pages\/107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/comments?post=107"}],"version-history":[{"count":0,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/pages\/107\/revisions"}],"wp:attachment":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/media?parent=107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}