v2019.1 - Apr 20, 2019
This policy is valid for all signatures made by the following GnuPG key:
pub rsa4096/0x31E5FE63E2FC4825 2006-07-24 [SC] [expires: 2081-01-01] Key fingerprint = 607D 555B 2B11 B1B3 916A CBDE 31E5 FE63 E2FC 4825 uid [ultimate] Gonzalo Bermúdez uid [ultimate] [jpeg image of size 1346] uid [ultimate] Gonzalo Bermúdez sub rsa2048/0xFAD48D16B6984691 2017-02-11 [A] [expires: 2081-01-01] sub rsa2048/0x03621B410C71A6B4 2019-04-20 [E] [expires: 2020-06-01] sub rsa2048/0xCE73F69A01041AE0 2019-04-20 [S] [expires: 2029-06-01]
This key is not published on keyservers. The current version can be found here. The email address on this web page has been removed to prevent spamming. On the actual key, the address is present.
I live on Argentina's Federal District. Here, I'm available for key signing at any time. I'm also listed on biglumber, a site about key signing coordination.
The level I'll use to sign each UID depends on how confidently can I state that someone is who he or she claims to be.
To prove an identity, I request a meeting in person, to which the signee must attend with an identity card featuring a photo id; he or she must also provide a piece of paper with their key's fingerprint on, and a list of all UIDs I'm requested to sign. I will accept handwritten information, although I won't sign a UID if I cannot understand it, nor will I sign any UID if the fingerprint is not clear enough.
During the meeting, I'll compare the picture on the identity card with the person's face, and take note of the name on it. I'll also keep the piece of paper with the keys' information to validate the keys I should sign.
These proceedings are not required for people I know long enough to discard identity forgery. In those cases, I'll requiere only that they hand me their fingerprints in person, to avoid man in the middle attacks.
Of course, I need access to the public key I'm signing. If it's not available on keyservers, I expect to receive it somehow: be it an URL from where to grab it, or email, or any other means. From the time I receive the key on, I'll be sending every email encrypted if the key has an encryption subkey.
Once the meeting is over, and I'm back at my place, I'll send random pieces of data to the email addresses listed on the UIDs I'm requested to sign. I expect to receive them back, signed by the key I'm signing.
Once the email challenge/response is successfully completed, I'll be sending an email with each signed UID signed by my key, according to my signature levels policy.
This policy can and should be checked against its detached signature, issued by the master key since the signing key is affected.
Copyright (c) 2006-2019 Gonzalo Bermúdez
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2.
Some ideas for this document were taken from the GnuPG Key Signing Policy of Marcus Frings.