-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Key signing policy of the signer Michael J Gruber for the key: pub 1024D/7F73D9CC 1999-12-03 Key fingerprint = 005B BB1F 717E 511B 78F3 946E AD1B DE56 7F73 D9CC uid Michael J Gruber uid Michael J Gruber uid Michael J. Gruber uid Michael J Gruber uid Michael J Gruber uid [jpeg image of size 2501] sub 1024g/24F98F07 1999-12-03 Version: 1.0 Date: 2007-03-16 Applicability: This policy applies to all signatures whose signing policy attribute points to a file named sha256.asc, where "sha256" denotes the hexadecimal sha256 checksum of the policy (including the signature). Fingerprint verification: The signee has to identify the key to be signed by providing a hardcopy of the fingerprint or confirming the fingerprint on a list whose integrity was checked using strong checksums. Failure to verify the fingerprint terminates the signing process. Identity verification: - - Strong form: The signee provides a passport or German identity card (Personalausweis) which I can check physically. Alternatively, I have known the signee personally for several years to an extent which matches or exceeds my non-expert capabilities in verifying a passport or identity card which I can check physically. - - Weak form: The signee provides a passport or German identity card (Personalausweis) which I can check visually (such as by projection methods etc.). Alternatively, I have known the signee personally to an extent which matches or exceeds my non-expert capabilities in verifying a passport or identity card which I can check visually. In both cases, the picture ID has to match the current appearance of the signee reasonably. I do not accept other means of identification because I have no way of checking their validity. Failure to verify the identity terminates the signing process. UID verification: - - e-mail UID: The UID has to contain first and last name of the signee as identified by the identity verification. - - picture UID: The picture UID has to match the current appearance of the signee reasonably. Failure to verify the UID terminates the signing process. Signature certification levels: Level 3: Fingerprint verification, identity verification (strong form) and UID verification succeeded. Level 2: Fingerprint verification, identity verification (weak form) and UID verification succeeded. Level 1: No verification was attempted. Frequent e-mail exchange makes me believe that the key is owned by the person who claims to own it. This is typically used for local signatures only. Level 0: No claim about success or failure of any steps is made. e-mail verification (level 2 and 3): I send my signatures encrypted to individual UIDs of the signed key. - - For e-mail UIDs of encryption keys, this ensures that the signee owns the key and receives e-mails at the specified address. - - For e-mail UIDs of sign-only keys, the signee has to provide a verified encryption key. Sign-only key and encryption key are verified to be owned by the same person, by sending an encrypted random challenge which has to be returned signed by the sign-only key. - - For picture UIDs, no such verification is necessary because no claim is made about e-mail addresses. The signature is sent to the main UID. I do not upload level 2 or 3 signatures to key servers unless e-mail verification succeeded in the form outlined above or equivalent form. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFF+pN1rRveVn9z2cwRAlhCAKCrC8TEHLTc9AaYfp8c8kpRd2+9ZACgvDWd cXv+j+aQi+2w2Ww7oqqzcSw= =NDHO -----END PGP SIGNATURE-----