CA Policy - Enrico Scholz

This document describes the CA policy for GPG signatures

• which are pointing to this page.
• created by Key 0x0D001429 (Fingerprint: 6FDE A4DD 4B7D 8DA1 D3D5 E03F BC91 6AF4 0D00 1429) which is owned by Enrico Scholz

A signed version of this document can be found here.

I am using subkeys to sign mails and documents resp. for encrypting. Only main-keys are used for signing.

The signing key is stored only on a CDROM and since 2007 on an encfs crypted USB stick which are mounted on demand. Signing itself happens on a machine which was and is connected to the network before and during the signing; hence, attacks by viruses or trojans can not be excluded.

I will use the following cert-levels for signing other peoples' (short: signee) keys:

Level 0

This level will not be used by me

Level 1

This level will not be used by me

Level 2

This level will be used by me when I verified casually the identity of the signee. This means:

• I knew the signee and saw him/her physically
• I asked the signee face-by-face or during a telephone conversation for the fingerprint for his/her key
• I verified the plausibility of the key (see below)
• I verified the email address(es) associated with the key (see below)

Level 3

This level will be used by me when I verified extensively the identity of the signee. This means:

• I saw the owner of the key physically
• I saw a hard to forge document with a photo ID. This document MUST be valid at time of verification.
• I verified that the owner of the key is shown on the photo ID
• I verified that the name of the signee matches the name in the document
• I asked the signee face-by-face for the fingerprint for his/her key resp. she/he verified the fingerprint
• I verified the plausibility of the key (see below)
• I verified the email address(es) associated with the key (see below)

Common in all cases is, that the user ID (short: uid) associated with the key(s) must be plausible. This means:

• The uid MUST be associatable with the name of the signee
• The uid MUST contain the first- and the surname of the signee. Abbreviation are not allowed
• Secondary forenames can be abbreviated
• Whole uid MUST sound like a reasonable fullname
• Nicknames can be part of the user ID but must be clearly recognizable as such ones
• Transliteration of umlauts (e.g. oe instead of ö) are accepted

The email address(es) associated with key will be verified by:

• Encrypting the signed key with the key itself
• Sending this message to the email address from the key
• Not uploading the signed key to a key server
• When a key consists of pubkeys for multiple uids/email addresses, my signature was sent to all email addresses but only for that uid which is associated with an email address.