{ } { {Marc Haber's GPG Key Signing Policy} { } } {

{Marc Haber's GPG Key Signing Policy}

{

Preliminary Version - Do Not Use!

This document about my GPG key signing policy will hopefully help you choose whether to trust my signature on third-party keys.

Key used for signature

When I sign a third-party key, I use my Master Signature Key as described in my GPG Key Policy.

Terminology

The key owner who wishes to obtain a signature to his/her key from me, is called the "signee", by terms of this document. I am the signer.

Signature notes

For all keys I have signed, I document where I met the signee and how I verified his/her identity. These notes are published here. The documentation will also contain explanation if I have broken my own policy while signing a key. This might - for example - happen if I signed that key on a public key signing event where following my policy to the letter would have disturbed the event.

Prerequisites for signing

Proof of identity

The signee must prove his/her identity to me by way of a valid identity card or passport. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. Please note that I require that proof of identity even for people I know personally. This verification step is called "proof of identity".

From people coming from outside the European Union I will request an additional official photo ID, for example the drivers's license (since I cannot assess their risk of fraud). Exceptions may be made if there is a good reason for me to do so.

Hardcopy fingerprint

The signee should have prepared a hardcopy of the output of the command

gpg --fingerprint 0x12345678

(or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed.

A handwritten piece of paper featuring the key ID, fingerprint and all UIDs the signee wants me to sign will also be accepted.

Obtaining the public key

I generally expect the public key to be signed to be available on the PGP key servers. If it is not available there, I expect the signee to point me to the public key. I will not spend a great amount of time finding the public key to sign, I will ditch the signature process instead.

Storage of the secret key

I will then ask the signee how the secret key is protected. I appreciate people publishing their key policy on the world wide web like I do, but I accept an explanation how the key is protected as well. Please note that I will publish the protection scheme in my key signing notes.

How to hand over proof of identity and fingerprint

Handing over proof of identity and fingerprint must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on). I reserve the right to refuse signing unter inappropriate circumstances.

My personal notes

After having received (or exchanged) the proof described in detail above, I will initial the signee's piece of paper myself to avoid fraud. I will also make notes about the Proof of Identity and the procedures the signee follows to protect the secret key.

E-mail challenge

At home I will send one e-mail to each of the mail addresses which are listed in the UIDs which I was asked to sign. These verification mails contain random strings and will be signed by my Master Signature Key. This step of verification is called "e-mail challenge". Naturally, this challenge does not work with sign-only keys.

I will then wait for two weeks for answers to the test e-mails. These answers need to be signed with the respective key and UID that the mail was originally sent out to verify. I will then verify the key's fingerprint with the fingerprint that has been given to me in connection with the proof of identity. This will be called the "fingerprint verification".

If one of the UIDs fails one of the tests, a warning will be sent to one of the other mail addresses and the procedure will be halted until a satisfactory explanation has been received or the procedure has been cancelled by the signee.

Finally: The act of signing

Signature levels

Level 3

A GPG signature level 3 is given to sign-and-encrypt-keys if all three checks (proof of identity, e-mail challenge and fingerprint verification) have been successfully completed.

Level 2

For sign-only keys, the e-mail challenge is not possible, and thus my signature on these keys is given a level 2 if both proof of identity and fingerprint verification have been successful.

Level 1

I will not use level 1 because in my opinion, this level weakens the web of trust.

Level 0

A level 0 is given to keys of Certification Authorities and other organizations since there is usually not a single person behind those keys.

Signing

After placing my signature on the appropriate UID, I will save a file containing information when and where I met the signee and how I verified their identity here.

Transport of the signed key to the signee

The signed keyblock will then be e-mailed to the first e-mail UID on the key, or to the address the signee has asked me to mail it to. I will not upload the signed keyblock to any key server.

How to meet me

I live in Karlsruhe, Baden-Württemberg, Germany, Europe. I am open to sign keys at any time. The easiest way for verifying keys would be to meet me here in Karlsruhe after getting in touch with me via E-Mail (mh+gpg-keysigning@zugschlus.de). I rarely abandon my incoming mailbox for longer than a day, so that medium of communication is fine.

Spam

Spam is a big problem. I am pretty sure that this web page will sooner or later be harvested by the spammer robots. To combat the spam problem, all e-mail addresses mentioned on this web page are heavily filtered using MTA policies and spamassassin. Please consider trying to make your messages look like non-spam when using them for legitimate communications.

Credits

To be able to create this document, it was necessary to build knowledge about the web of trust, which is very much based on mutual trust. It is therefore very important to know all there is to know about the unwritten regulations and rules of etiquette. Many de.comp.security.misc regulars, including Carsten Eilers, Florian Weimer and Markus Schaaf, helped me build that knowledge in July 2002 and August 2003. This document was very much inspired by Bjoern Buerger and Marcus Frings. Thank you very much!

Revision history

A new revision of the policy can replace this one any time.

VersionDateComment
0.02003-08-08preliminary
} } {

Home

{Best Viewed With Any Browser } {Valid HTML 4.01! } {Valid CSS! } {Printer Friendly Version } {Credits } {Marc Haber} {27.11.2003 11:49}

}