0.1 Definitions
I, me, my: any references to 'I', 'me' or 'my' refer to
Ewald Tienkamp.
keys: in this document, when not explicitly stated otherwise, key or keys refers to
PGP/OpenPGP/
GnuPG keys.
signee: the person requesting their key to be signed by me, Ewald Tienkamp, using my personal key C641F38C.
1.0 Key signing conditions
I only sign keys when I have personally met the person who claims to be the owner of said key. Thus, arranging a meet or attending a keysigning party where I'm present, is a requirement for the signee to get their key signed by me.
2.0 Signing levels
GnuPG supports
four different signing levels. Below, all of the different levels are listed, and the requirements for the signee to obtain each level is provided.
- sig (0x10): the regular non-specified signature, used by me only for signing automated, non-personal keys, such as CAcert's GPG key. My previous CAcert GPG key signature dates from before this policy and is thus revoked and resigned to conform to this new keysigning policy.
- sig 1 (0x11): not currently used by me.
- sig 2 (0x12): 'I have done casual checking', so used for signing keys checked during keysigning parties, or in other massive and non-relaxed, non-quiet signing meet-ups. While a positive picture ID is required, careful checking was not possible.
- sig 3 (0x13): 'I have done careful checking', used by me for one-on-one keysigning, where multiple positive ID's are exchanged and checked for security features based on online indexes of such features.
2.1 Keysigning party modifiers
While keysigning parties are a great way to obtain a lot of signatures, the quality of the signature will be valued less by me. Usually the setting is not optimal, it is cold and/or really busy and the sheer amount of people attending pressures everyone to quickly continue down the line. Therefore, a sig 2 will be the highest signature given by me. Furthermore, any uid's not listed on the keysigning party sheet, will not be signed at all. I will obtain your key from one of the major keyservers, verify names, email, fingerprint and sign accordingly. Any additional uid's that are non-email (and contain anything else than just the name of signee) and/or picture uid's will not be signed and sent.
2.2 Signing of photo uid's
Photo uid's will only be signed for signees I have known for over a year or signees who can provide at least three photo ID's of which one is goverment issued and bear a strong resemblance to both real life and photo uid.
2.2 Signing of non-email uid's
Non-email uid's are not signed by me by default. However, there are some exceptions. First of all, just as with all email uid's, they have to be present on paper during the meeting. Second, if the uid consists of merely the full name, which is identical to the full name of one or more email uid's, I will sign. For things such as birth date and location, I will have to have verified those during the meeting. During a keysigning party there is hardly opportunity to do so, unfortunately, therefore, I will not sign non-email uid's which I were unable to verify during a keysigning party.
3.0 Meeting in person
Aside from meeting in person during a keysigning party, we can arrange a meeting for one on one mutual keysigning. If you happen to be in Utrecht, or better yet, the University complex Uithof, let me know in advance (see
ewald.tienkamp.info for ways to contact me) and we'll see if we can meet up. If you like, I can also assure you for
CAcert purposes.
3.1 One on one meetings
When meeting one on one, you will want to bring the following:
- - A piece of paper with the output of gpg --fingerprint
- - At least one government issued ID, valid, with a photograph if possible
- - Any additional ID's, cards or documents to further verify your identity
- - Enough time to attend the meeting without any rush (approx 10-15 minutes)
4.0 Signing procedure
After meeting in person, I will sign the key which was verified during said meeting, when home. The signing will be done using
caff, which extracts the key from one of the major keyservers. Therefore, you will want to make sure that the key is present on keyservers and is up to date.
After signing, caff will email your signed public key to each of the uid's encrypted, if possible. Photo uid's and non-email uid's, if signed, will be attached to each email as well.
I reserve the right to not sign a key at my own discretion.
6.0 Changelog
16 February 2010 - Version 1.0, first version, all major sections present
Supplement: attended keysigning parties
I have attended the following parties:
7 February 2010,
FOSDEM 2010.
