GnuPG Key Signing Policy of Marcus Frings

v1.6.1, 12 Feb 2011

Content

  1. Preamble
  2. Location
  3. Prerequisites for signing
  4. The act of signing
  5. Levels of signatures
  6. Trace the path to my keys
  7. Links
  8. Changelog
  9. License

Preamble

This policy is valid for all signatures made by the following GnuPG keys:

pub   1024D/E10F502E 2002-03-22
      Key fingerprint = 53FC 5A87 27BE 1D30 FEB4  861A 948F D6A0 E10F 502E
uid Marcus Frings <protagonist!gmx.net>
uid Marcus Frings <webmaster!gothgoose.net>
uid Marcus Frings <webmaster!sc-delphin-eschweiler.de>
uid Marcus Frings <marcus.frings!rwth-aachen.de>
uid Marcus Frings <marcus.frings!gmx.net>

pub   1024D/BAB58229 2002-05-07
      Key fingerprint = 0138 DA92 EDFF B27D D270  F86D B475 E207 BAB5 8229
uid Marcus Frings (Work) <marcus.frings!oc.rwth-aachen.de>
uid Marcus Frings <marcus.frings!rwth-aachen.de>

pub   4096R/1E899042 2011-01-10
      Key fingerprint = 69E1 EE07 F7A6 AA8E 4A77  7B2A 7A06 8542 1E89 9042
uid Marcus Frings <protagonist!gmx.net>
uid Marcus Frings <marcus.frings!gmx.net>
uid Marcus Frings <marcus.frings!rwth-aachen.de>

Please note that the key 0xBAB58229 contains the revoked UIDs <marcus.frings!philips.com> and <marcus.frings!scansoft.com> which are no longer valid. To prevent spam the mail addresses in the UIDs from above are obfuscated on this web page (replace "!" with "@"). In the keys the real addresses are used.

These three keys will always be available on this page but the most current versions can usually be fetched from keyservers like subkeys.pgp.net/ or pool.sks-keyservers.net. You can get 0xE10F502E here, 0xBAB58229 here and 0x1E899042 here.

This policy was originally written on 2003-05-31 and will be followed from this date on but it may be replaced with a new version at any time. Content and structure of this document are strongly based on the OpenPGP Key Signing Policy of Marc Mutz and Jörgen Cederlöf but have been slightly modified from the original sources. From May 2003 to January 2011 this policy had been stored at http://www.sc-delphin-eschweiler.de/pgp/ but in February 2011 the document moved to http://www.gothgoose.net/pgp/.

Location

I live in Aachen (Germany) and I am open to sign keys at any time. The easiest way for verifying keys would be to meet me here in Aachen. Another opportunity to get in personal contact would be to address me at certain computer related fairs (CeBIT, LinuxTag and so on). I am also listed at biglumber.com, a webpage about key signing coordination.

Prerequisites for signing

The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (see above for example keyservers).

The signee must prove his/her identity to me by way of a valid identity card or a valid driving licence. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee's key must feature his/her real name in order to be checked up on his/her identity card. A key which only contains a pseudonym will not be signed.

For people from outside the European Union I will check both of these two tokens (since I cannot assess their risk of fraud). Exceptions may be made if there is a good reason for me to do so.

The signee should have prepared a strip of paper with a printout of the output

gpg --fingerprint 0x12345678

(or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed.

A handwritten piece of paper featuring the fingerprint and all UIDs the signee wants me to sign will also be accepted.

The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on).

The act of signing

After having received (or exchanged) the proof detailed in the above I will sign the signee's piece of paper myself to avoid fraud.

At home I will sign the UIDs which I was asked to sign. Each signature will then be mailed separately to the corresponding mail address of the single UIDs.

Levels of signatures

Depending on the character of the key which is to be signed by me I will use different levels of signatures:

Level 3
A level of 3 is given to sign-and-encrypt keys: I have met the signee, I have verified his/her identity card and fingerprint and I was able to send my signatures encrypted with the corresponding key of the signee. These signatures are the strongest in my web of trust. Photographic UIDs are also going to be signed with a level of 3 if I can still remember the signee's face when I will be back at home.
Level 2
A level of 2 is given to sign-only keys. It is not clear to determine if the owner of the mail account is the same as the key owner because encryption cannot be used, hence the signatures only receive a lower level of 2.
Level 1
A level of 1 will never be used by me for it weakens the web of trust in my opinion. I have never signed keys without appropriate verification and I will never do so in the future.
Level 0
A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.

Trace the path to my keys

You can use the pathfinder of Henk P. Penning at http://pgp.cs.uu.nl/ which gives you a simple text printout:

from to my key 0xE10F502E
from to my key 0xBAB58229
from to my key 0x1E899042

If you like graphics you surely want to try out Jörgen Cederlöf's Wotsap:

from to my key 0xE10F502E
from to my key 0xBAB58229
from to my key 0x1E899042

Links

Here are some links which you may find useful or interesting:

Keyanalyze report:
Search for my name/keys in the current keyanalyze report of Henk P. Penning.
The current analysis of my key 0xE10F502E (from http://www.lysator.liu.se/~jc/wotsap/)
The current analysis of my key 0xBAB58229 (from http://www.lysator.liu.se/~jc/wotsap/)
The current analysis of my key 0x1E899042 (from http://www.lysator.liu.se/~jc/wotsap/)
The current analysis of my key 0xE10F502E (from http://pgp.cs.uu.nl/)
The current analysis of my key 0xBAB58229 (from http://pgp.cs.uu.nl/)
The current analysis of my key 0x1E899042 (from http://pgp.cs.uu.nl/)
Key signing policies of other people:
Marc Mutz
Jörgen Cederlöf
Olaf Gellert
Marc Haber
Jürgen Nieveler
Thomas Bader
Sebastian Inacker
Markus Reichelt
Keysigning parties where I participated or which I organized:
Oecher Keysigning Party I 2003 (Aachen)
Oecher Keysigning Party II 2003 (Aachen)
Keysigning Party Linuxtag 2003 (Karlsruhe)
Keysigning Party Linuxtag 2004 (Karlsruhe)
Keysigning Party Linux-Tage 2005 (Chemnitz)
Keysigning Party Linuxtag 2006 (Wiesbaden)
Keysigning Party FOSDEM 2008 (Brussels)
Keysigning Party FrOSCon 2008 (Sankt Augustin)
Keysigning Party FOSDEM 2009 (Brussels)
Keysigning Party FrOSCon 2009 (Sankt Augustin)
Keysigning Party FOSDEM 2010 (Brussels)
Keysigning Party FrOSCon 2010 (Sankt Augustin)
Keysigning Party FOSDEM 2011 (Brussels)

Changelog

Version 1.6.1, 2011-02-12:
This policy moved from its former place http://www.sc-delphin-eschweiler.de/pgp/ to http://www.gothgoose.net/pgp/.
Version 1.6.0, 2011-01-22:
Added my new third key 0x1E899042 to the policy.
Version 1.5.1, 2010-02-17:
Policy not changed; updated list of visited keysigning parties.
Version 1.5.0, 2009-02-15:
Policy not changed; Added new UIDs <marcus.frings!rwth-aachen.de> and <marcus.frings!gmx.net> in key 0xE10F502E and new UID <marcus.frings!rwth-aachen.de> in key 0xBAB58229; updated list of visited keysigning parties.
Version 1.4.2, 2008-08-24:
Policy not changed; updated list of visited keysigning parties.
Version 1.4.1, 2008-02-24:
Policy not changed; updated list of visited keysigning parties.
Version 1.4.0, 2006-05-03:
Major policy upgrade.
Version 1.3.1, 2004-11-12:
Policy not changed; added link to Markus Reichelt's signing policy.
Version 1.3.0, 2004-08-17:
Added new UID <marcus.frings!oc.rwth-aachen.de> and revoked UID <marcus.frings!scansoft.com> in key 0xBAB58229; policy upgraded.
Version 1.2.8, 2004-07-11:
Policy not changed; added link to Sebastian Inacker's signing policy; added some more stats about my keys.
Version 1.2.7, 2004-06-27:
Policy not changed; added link to Keysigning Party LinuxTag 2004; keyservers modified in the preamble.
Version 1.2.6, 2004-05-20:
Policy upgraded; last changes are highlighted.
Version 1.2.5, 2004-04-03:
Policy upgraded.
Version 1.2.4, 2004-03-31:
Added link to Olaf Gellert's signing policy.
Version 1.2.3, 2003-12-14:
Added link to Thomas Bader's signing policy.
Version 1.2.2, 2003-10-24:
Added link to Oecher Keysigning Party II.
Version 1.2.1, 2003-10-12:
Added link to Jürgen Nieveler's signing policy.
Version 1.2.0, 2003-08-12:
Added section "Links"; complete rewrite of the section "Levels of signatures" to make my way of giving signature levels more transparent for other people.
Version 1.1.1, 2003-08-01:
Added my entry at biglumber.com to the section "Location".
Version 1.1.0, 2003-07-18:
Added section "Trace the path to my keys"; minor changes in the text.
Version 1.0.0, 2003-05-31:
Initial Release.

License

Copyright (c) 2003-2011 Marcus Frings.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.



Marcus Frings <protagonist@gmx.net>
Last modified: Sat Feb 12 16:28:40 CET 2011 		Valid HTML 4.01!Valid CSS!