-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Key signing policy of the signer Michael J Gruber for the key: pub 1024D/C920A124 2005-07-19 Key fingerprint = 7E06 D8EF 2162 B7D0 211D 8EFE AC82 4B1F C920 A124 uid Michael J Gruber uid Michael J Gruber uid Michael J Gruber uid [jpeg image of size 2501] sub 2048g/9C3F7E74 2005-07-19 Version: 1.0 Date: 2007-03-16 Applicability: This policy applies to all signatures whose signing policy attribute points to a file named sha256.asc, where "sha256" denotes the hexadecimal sha256 checksum of the policy (including the signature). Fingerprint verification: The signee has to identify the key to be signed by providing a hardcopy of the fingerprint or confirming the fingerprint on a list whose integrity was checked using strong checksums. Failure to verify the fingerprint terminates the signing process. Identity verification: - - Strong form: The signee provides a passport or German identity card (Personalausweis) which I can check physically. Alternatively, I have known the signee personally for several years to an extent which matches or exceeds my non-expert capabilities in verifying a passport or identity card which I can check physically. - - Weak form: The signee provides a passport or German identity card (Personalausweis) which I can check visually (such as by projection methods etc.). Alternatively, I have known the signee personally to an extent which matches or exceeds my non-expert capabilities in verifying a passport or identity card which I can check visually. In both cases, the picture ID has to match the current appearance of the signee reasonably. I do not accept other means of identification because I have no way of checking their validity. Failure to verify the identity terminates the signing process. UID verification: - - e-mail UID: The UID has to contain first and last name of the signee as identified by the identity verification. - - picture UID: The picture UID has to match the current appearance of the signee reasonably. Failure to verify the UID terminates the signing process. Signature certification levels: Level 3: Fingerprint verification, identity verification (strong form) and UID verification succeeded. Level 2: Fingerprint verification, identity verification (weak form) and UID verification succeeded. Level 1: No verification was attempted. Frequent e-mail exchange makes me believe that the key is owned by the person who claims to own it. This is typically used for local signatures only. Level 0: No claim about success or failure of any steps is made. e-mail verification (level 2 and 3): I send my signatures encrypted to individual UIDs of the signed key. - - For e-mail UIDs of encryption keys, this ensures that the signee owns the key and receives e-mails at the specified address. - - For e-mail UIDs of sign-only keys, the signee has to provide a verified encryption key. Sign-only key and encryption key are verified to be owned by the same person, by sending an encrypted random challenge which has to be returned signed by the sign-only key. - - For picture UIDs, no such verification is necessary because no claim is made about e-mail addresses. The signature is sent to the main UID. I do not upload level 2 or 3 signatures to key servers unless e-mail verification succeeded in the form outlined above or equivalent form. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFF+pNsrIJLH8kgoSQRAo1gAKCYzrLIUeLmmP/DWtaqvW7o8Bh7XQCeMfma +ktfnf/3nXsFs+EwV3nMytY= =JnvW -----END PGP SIGNATURE-----