Certificate Signing Policy for Gonzalo Bermúdez

v1.2 - August 4, 2007

Content

1. Key(s) affected by this policy
2. Where am I
3. Signature levels
4. Proof of identity
5. Changelog
6. License

Key(s) affected by this policy

This policy is valid for all signatures made by the following GnuPG key:

pub   4096R/E2FC4825 2006-07-24
      Key fingerprint = 607D 555B 2B11 B1B3 916A  CBDE 31E5 FE63 E2FC 4825
uid                  Gonzalo Bermúdez <>
uid                  [jpeg image of size 1346]
sub   1024D/C6348680 2006-07-24
sub   2048g/BDDC0C50 2006-07-24 [expires: 2008-07-23]
        

This key is not published on keyservers. The current version can be found here. The email address on this web page has been removed to prevent spamming. On the actual key, the address is present.

Where am I

I live on Argentina's Federal District. Here, I'm available for key signing at any time. Also, I'll be publishing any travels I do or events I attend to on my Key Signing Coordination Google Calendar.

Signature levels

The level I'll use to sign each UID depends on how well I can assure someone is who he or she claims to be.

Level 3

This level will only be given to people I know long enough to be absolutely sure of their identity. Mostly friends, family and long term co-workers will receive this level of signature.

Level 2

This signature level is assigned to those UIDs of people who contacted me for key signing, succeeded in providing reasonable proof of identity although I do not know them, and have the owner's real name on them.

Level 1

Signatures of level 1 are given to those UIDs from people who prove their identity, are not known to me, and have a pseudonym, company name or anything else than a real name on them. Note that I require at least one UID with the real name on the key to sign it.

Level 0

I won't use signatures of level 0.

Proof of identity

To prove an identity, I request a meeting in person, to which the signee (the person willing to get their key signed) must attend with a passport, identity card, driver's license or the like, featuring a photo id; he or she must also provide a piece of paper with their key's fingerprint on, and a list of all UIDs I'm requested to sign. I will accept handwritten information, although I won't sign an UID if I cannot understand it, nor will I sign any UID if the fingerprint is not clear enough.

During the meeting, I'll compare the picture on the identity card with the person's face, and take note of the name on it. I'll also keep the piece of paper with the keys' information to validate the key which I should sign.

Of course, I need access to the public key I'm signing. If it's not available on keyservers, I expect to receive it somehow: be it an URL from where to grab it, or email, or whatever. From the time I receive the key on, I'll be sending every email encrypted if the key has an encryption subkey.

Once the meeting is over, and I'm back at home, I'll send random pieces of data to the email addresses listed on the UIDs I'm requested to sign. I expect to receive them back, signed by the key I'm signing.

For each UID for which the email challenge/response is successfully completed, I'll be sending an email with it signed by my key, according to my signature levels policy.

Changelog

Verion 1.2, 2007-07-04

Fixed XHTML issues, and minor language mistakes.

Version 1.1, 2006-08-30

Corrected some typos.

Version 1.0, 2006-08-23

Initial release.

This policy can and should be checked against its detached signature.

License

Copyright (c) 2006 Gonzalo Bermúdez

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2.

Some ideas for this document were taken from the GnuPG Key Signing Policy of Marcus Frings.