CA Policy - Enrico Scholz
This document describes the CA policy for GPG signatures
- which are pointing to this page.
- created by Key 0x0D001429 (Fingerprint: 6FDE A4DD 4B7D 8DA1 D3D5 E03F BC91 6AF4 0D00 1429) which is owned by Enrico Scholz
A signed version of this document can be found
here.
Key-Security
I am using subkeys to sign mails and documents resp. for encrypting. Only main-keys are used for signing.
Key 0x0D001429
The signing key is stored only on a CDROM and since 2007 on an
encfs crypted USB stick which are mounted on demand. Signing
itself happens on a machine which was and is connected to the
network before and during the signing; hence, attacks by viruses
or trojans can not be excluded.
Cert-Levels
I will use the following cert-levels for signing other peoples' (short:
signee) keys:
- Level 0
- This level will not be used by me
- Level 1
- This level will not be used by me
- Level 2
- This level will be used by me when I verified casually the identity of the signee. This means:
- I knew the signee and saw him/her physically
- I asked the signee face-by-face or during a telephone conversation for the fingerprint for his/her key
- I verified the plausibility of the key (see below)
- I verified the email address(es) associated with the key (see below)
- Level 3
- This level will be used by me when I verified extensively the identity of the signee. This means:
- I saw the owner of the key physically
- I saw a hard to forge document with a photo ID. This document MUST be valid at time of verification.
- I verified that the owner of the key is shown on the photo ID
- I verified that the name of the signee matches the name in the document
- I asked the signee face-by-face for the fingerprint for his/her key resp. she/he verified the fingerprint
- I verified the plausibility of the key (see below)
- I verified the email address(es) associated with the key (see below)
Common in all cases is, that the user ID (short:
uid) associated with the key(s) must be plausible. This means:
- The uid MUST be associatable with the name of the signee
- The uid MUST contain the first- and the surname of the signee. Abbreviation are not allowed
- Secondary forenames can be abbreviated
- Whole uid MUST sound like a reasonable fullname
- Nicknames can be part of the user ID but must be clearly recognizable as such ones
- Transliteration of umlauts (e.g.
oe
instead of ö
) are accepted
The email address(es) associated with key will be verified by:
- Encrypting the signed key with the key itself
- Sending this message to the email address from the key
- Not uploading the signed key to a key server
- When a key consists of pubkeys for multiple uids/email addresses, my signature was sent to all email addresses but only for that uid which is associated with an email address.
|
|