-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Certificate printout of gnupgp (e-mail address suppressed): ############################################################################## # # # pub 4096R/DDB489E2 2014-06-10 [exp: 2017-01-29] # # key fingerprint = E795 36A7 083A C2CB BC75 4BC9 7DC1 0A59 DDB4 89E2 # # uid Oliver Baum (offline master key) # # uid Oliver Baum <...> # # sub 2048R/BDC716A8 2014-06-10 [exp: 2016-06-09] # # sub 2048R/F587A69F 2014-06-10 [exp: 2016-06-09] # # # ############################################################################## ................................................................................................... A B O U T T H I S D O C U M E N T Main purpose of this document is to provide third persons some information how do I deal with my (private) OpenPGP keys and sign foreign keys. It should help others to get an idea of the security and reliability of my signatures, certificates and keys used/created by me. The url of this policy is quoted in every certification by me. If an adjustment of the policy will be necessary I will upload a revised version. In this case you can find a short remark with the url to the older version. Hence previous versions are available anyway. Please note that this document is signed by the offline master key. ................................................................................................... S E C U R I T Y O F T H E K E Y S ( K E Y - P O L I C Y ) (A1) Generation of the keys: Keys were generated in a offline system booted with a verified KNOPPIX Live Disc. Involved hardware was not further checked but is basically considered as trustable. The master key was protected with an (from a cryptographically point of view) high secure passphrase before he got export from this system. There were no special provisions against possibly TEMPEST attacks. (A2) Usage of master key: The master keys (0xDDB489E2) is only used on secure offline systems (KNOPPIX cd/rom, without internet connection, ... see above). Therefore signatures for other keys and/or files made by this offline master key can be seen as high trustable. (A3) Usage of sub keys: The sub keys (and only the sub keys!) are stored and used on a usual protected, self adminis- trated system for daily encryption and signing purposes. Sub keys will expire every two years. ................................................................................................... S I G N I N G O T H E R K E Y S (S I G N I N G - P O L I C Y ) (B1) General information: In every case I must have met the signee (the person who wants me to sign her/his pgp key) in persona. After the import of the foreign pgp certificate in my system (secure offline system only, see A1) I always doublecheck the fingerprint. Therefore it is expedient to handover me the complete fingerprint and all UIDs to sign printed on a piece of paper. In exceptional cases I acquiesce in comparing the fingerprints via different SECURE channels (e.g. by tele- phone). First sentence of this paragraph shall remain unaffected thereby. I do not upload foreign certificates to any keyservers after I signed them. Keeping keys updated is the responsibility of the keyholder himself. There again please >>> DO NOT UPLOAD MY KEYS TO PUBLIC KEYSERVERS! <<< For different reasons I only want them to offer via my private website. You can send me my signed certificate to the e-mail address provided in my uid. (B2) Level of certification # LEVEL 3 # The essential procedure of a Level 3 certification is the proof of identity. For this an official government document with picture (e.g. ID card, passport, driver license) must be provided. Of course the name (surname AND last name) in the UID must match with the data in the document. The signed key will be send (if feasible encrypted) to the e-mail address given in the UID. This ensures that the keyholder does actually have access to the stated e-mail account. If one UID does not specify contact information the signature will be attached to a mail to one of the other UIDs. If no UID provides an e-mail address the signee must specify the way of receipt in the personal meeting. # LEVEL 2 # This trust level is used for pseudonymous UIDs. It means the UID DOES NOT contain the veri- fiable real name of the signee. I am willing to sign these kinds of UIDs anyway. In this case the UID MUST contain a valid e-mail address where I can send the encrypted signature to. Regarding this procedure only the access of the keyholder to the e-mail acount given in the UID is confirmed. First sentence of paragraph B1 shall remain unaffected thereby. # LEVEL 1 # I am not going to use this level of certification. # LEVEL 0 # This signature fits to no abovementioned regulations. I will try to avoid such signatures. A possible usage for this level is the certification of keys representing e.g. companies, groups or oragnization, as I can not verify the identity of a certain person. Nevertheless I am convinced of the affiliation between key and signee (e.g. verified by a fingerprint printed in a magazine etc.) Dresden, 03.07.2014 Oliver Baum -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJOBAEBAgA4BQJTtXSMMRpodHRwOi8vd3d3LnVtLWVwb3N0LmRlL3BvbGljaWVz LzB4RERCNDg5RTJfMS50eHQACgkQfcEKWd20ieIIJxAAr2fAw3Mjv+AMynNGxCFi SQdlvQhUA5x8hyDH2Xk6QE1zOfluCrmZxqUzlOKZ+wY6JGC4IzhJAMT+/1srlCP9 gd1ME8hJR9zR3ffMd+2KMXFxFluywqxCHqwEbuzi89Apgf3e04aidJ8VMWqBKvpx /1FM8HHsslz0e6uxq8EjQQP4+EuphvyZVPIFJkamhvo9k6MFZoOZyW2emkhXFswV cpskh9YJL4vXlNYsBhXuQnxmE0Hy7InBI5X8Oa/SvfsxEtX/k8L82M7BXZm7wpik Qc4fcfnGj/USQ5f+EuuTCcmQ2KCp23suwfIHEKqckL0Ww7m3bAvCOVAHpg2ElD9Z C544ChBSYU7zZ4TbC5znUbuORZfZgTtgMiUOIJwJaaFy0Oy4UtScs159VeDT7T5m 6Yw35cLADkD3sE5nH4lsB7SpAgbUgjHZtELS27lV9W3JpDP1EnkLm82izS8uHDRo oV+MEd4B+GpkSlEy1HymzaZxO5SKXhVcEy8NDfGTdWOJWtws+Eadveyn6rVv4oVs gw1J+GH4v4f7d8dyy1Rr3FZIXkqsnDNlJmbBhu2Ja0fBQ1HdRniYLoC1Ptaa/QfJ KNghw7ZQboXfztLWyn+ql/iAsaAGLlk+Ch5UwvKwWg6fRzxFKnWr/jor+t7vfaME /GgcqM4jx2iAcRCU4lziZN0= =rT/2 -----END PGP SIGNATURE-----