CA Policy - Enrico Scholz

This document describes the CA policy for GPG signatures A signed version of this document can be found here.

Key-Security

I am using subkeys to sign mails and documents resp. for encrypting. Only main-keys are used for signing.

Key 0x0D001429

The signing key is stored only on a CDROM and since 2007 on an encfs crypted USB stick which are mounted on demand. Signing itself happens on a machine which was and is connected to the network before and during the signing; hence, attacks by viruses or trojans can not be excluded.

Cert-Levels

I will use the following cert-levels for signing other peoples' (short: signee) keys:
Level 0
This level will not be used by me
Level 1
This level will not be used by me
Level 2
This level will be used by me when I verified casually the identity of the signee. This means:
  • I knew the signee and saw him/her physically
  • I asked the signee face-by-face or during a telephone conversation for the fingerprint for his/her key
  • I verified the plausibility of the key (see below)
  • I verified the email address(es) associated with the key (see below)
Level 3
This level will be used by me when I verified extensively the identity of the signee. This means:
  • I saw the owner of the key physically
  • I saw a hard to forge document with a photo ID. This document MUST be valid at time of verification.
  • I verified that the owner of the key is shown on the photo ID
  • I verified that the name of the signee matches the name in the document
  • I asked the signee face-by-face for the fingerprint for his/her key resp. she/he verified the fingerprint
  • I verified the plausibility of the key (see below)
  • I verified the email address(es) associated with the key (see below)
Common in all cases is, that the user ID (short: uid) associated with the key(s) must be plausible. This means: The email address(es) associated with key will be verified by:

Enrico Scholz
Last modified: Sat Mar 24 12:43:50 CET 2007
Valid XHTML 1.0 Strict