fvezzoli/fvezzoli.villavasco.ovh
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
fvezzoli.villavasco.ovh/content/about/gpg/attachment/policy-20221011.txt
Francesco Vezzoli 272eace4b9 Add GPG information to site 
Signed-off-by: Francesco Vezzoli <fvezzoli@villavasco.ovh>
2023-01-02 23:11:09 +01:00

41 lines
2.1 KiB
Plaintext
Raw Blame History

This is the signing policy for key 0xE9F4D999943E991C:
### Meeting
I am willing to sign keys for people I meet in person, in reasonable circustances (not in a hurry, in a calm place, etc.).
The owner of the key should bring an hardcopy of the output of the command: `gpg --fingerprint $KEY_ID`, or an equivalent listing of the same informations.
If the key is not available on public servers, the piece of paper should include an alternative address where I can easily retrieve the public key to sign.
I reserve the right not to sign a key; reasons may include, but are not limited to, insufficient identification (I think the face to face meeting mitigate the problem) or problems retrieving the key.
### Signature Levels
I'm not using signature levels: I think don't add much value. I fully trust all people I meet.
### Key trasport
After signing the UIDs, I will send the signed key to each e-mail address as a light form of address ownership control; I will not upload the key to any keyserver.
### Subsequent keys
If I have signed your key and you create a new one (e.g., because you are migrating to a new format), I am willing to sign the new key without meeting in person, as long as the following conditions are met.
1. The old key is not yet expired or revoked when you send me the request (obviously).
2. You send me an e-mail signed with the old key and containing the information about the new key needed for a new signature (fingerprint, UID you want to have signed, where to find the key).
I will sign the UIDs I had already signed with the old key, the others only if I am sure they are yours.
### Pseudonym keys
I will only sign pseudonym identities on keys if I've known the owner of the key under that pseudonym for more than a year.
### Photo uid
I won't generally sign photo UIDs because they are hard to properly verify.
### Reciprocity
Reciprocity is appreciated, but not required: if we meet so that I can sign your key I expect that you look at my ID and fingerprint; if then you have a reason not to sign it I understand it, but appreciate if, situation permitting, you explain what the issues are, so that I can fix them for the future.
Reference in a new issue View git blame Copy permalink