Certificate Signing Policy for Gonzalo Bermúdez

v2019.1 - Apr 20, 2019


  1. Key(s) affected by this policy
  2. Location
  3. Signature levels
  4. Proof of identity
  5. Changelog
  6. License

Key(s) affected by this policy

This policy is valid for all signatures made by the following GnuPG key:

pub   rsa4096/0x31E5FE63E2FC4825 2006-07-24 [SC] [expires: 2081-01-01]
      Key fingerprint = 607D 555B 2B11 B1B3 916A  CBDE 31E5 FE63 E2FC 4825
uid                   [ultimate] Gonzalo Bermúdez
uid                   [ultimate] [jpeg image of size 1346]
uid                   [ultimate] Gonzalo Bermúdez
sub   rsa2048/0xFAD48D16B6984691 2017-02-11 [A] [expires: 2081-01-01]
sub   rsa2048/0x03621B410C71A6B4 2019-04-20 [E] [expires: 2020-06-01]
sub   rsa2048/0xCE73F69A01041AE0 2019-04-20 [S] [expires: 2029-06-01]

This key is not published on keyservers. The current version can be found here. The email address on this web page has been removed to prevent spamming. On the actual key, the address is present.


I live on Argentina's Federal District. Here, I'm available for key signing at any time. I'm also listed on biglumber, a site about key signing coordination.

Signature levels

The level I'll use to sign each UID depends on how confidently can I state that someone is who he or she claims to be.

Level 3
This level will only be given to people I know long enough to be absolutely sure of their identity. Mostly friends, family and long term co-workers will receive this level of signature.
Level 2
This signature level is assigned to those people who contacted me for key signing and succeeded in providing reasonable proof of identity although I do not know them.
Levels 1 and 0
I won't be using these levels for the time being.

Proof of identity

To prove an identity, I request a meeting in person, to which the signee must attend with an identity card featuring a photo id; he or she must also provide a piece of paper with their key's fingerprint on, and a list of all UIDs I'm requested to sign. I will accept handwritten information, although I won't sign a UID if I cannot understand it, nor will I sign any UID if the fingerprint is not clear enough.

During the meeting, I'll compare the picture on the identity card with the person's face, and take note of the name on it. I'll also keep the piece of paper with the keys' information to validate the keys I should sign.

These proceedings are not required for people I know long enough to discard identity forgery. In those cases, I'll requiere only that they hand me their fingerprints in person, to avoid man in the middle attacks.

Of course, I need access to the public key I'm signing. If it's not available on keyservers, I expect to receive it somehow: be it an URL from where to grab it, or email, or any other means. From the time I receive the key on, I'll be sending every email encrypted if the key has an encryption subkey.

Once the meeting is over, and I'm back at my place, I'll send random pieces of data to the email addresses listed on the UIDs I'm requested to sign. I expect to receive them back, signed by the key I'm signing.

Once the email challenge/response is successfully completed, I'll be sending an email with each signed UID signed by my key, according to my signature levels policy.


Version 2019.1, 2019-04-20 [ link ]
Issued new signing key 0xCE73F69A01041AE0 since expiration date on prior key was nearing.
Version 2017.1, 2017-04-03 [ link ]
All URLs for the gonz0.com.ar domain are now served over https. This revision changes every hyperlink in the document to reflect that.
Version 2015.2, 2015-11-17 [ link ]
Removed encryption key from the document. Won't be issuing new versions of this document for those type of keys, as they don't affect it.
Version 2015.1, 2015-06-05 [ link ]
New encryption key 0x7E9D5506 added.
Version 2013.1, 2013-12-22 [ link ]
New encryption key 0x62F7DCB9 added after expiration of 0xA1F017BE.
Version 2012.1, 2012-05-18 [ link ]
Policy not changed. Did change the versioning scheme. As I'll be updating this page at least yearly, it seems reasonable to use the year number as part of the version. Added encryption subkey 0xA1F017BE to replace 0xD8BF382F which is about to expire.
Version 2.2, 2011-05-29 [ link ]
Policy not changed. Added a new encryption subkey tu supersede 0xE81301B0, which is about to expire. Fixed the URL to locate my key on biglumber.
Version 2.1, 2009-07-11 [ link ]
Revoked the signing subkey, which was superseded by 0x0A267238. This document will be signed by the primary key, to validate the switch.
Version 2.0, 2008-06-01 [ link ]
Big changes. Level 1 signatures are gone (I issued none anyways); the signing process for people I know long enough is now stated out loud; and the challenge/response part now explains that if one UID fails, the whole key fails.
Version 1.2, 2007-07-04 [ link ]
Fixed XHTML issues, and minor language mistakes.
Version 1.1, 2006-08-30
Corrected some typos.
Version 1.0, 2006-08-23
Initial release.

This policy can and should be checked against its detached signature, issued by the master key since the signing key is affected.


Copyright (c) 2006-2019 Gonzalo Bermúdez

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2.

Some ideas for this document were taken from the GnuPG Key Signing Policy of Marcus Frings.