------BEGIN PGP SIGNED MESSAGE-----
+This policy is valid for all signatures made by the following GnuPG keys:
Thejesh GN <email@example.com>
Fingerprint: C7D4 1911 9893 ADAF 27B0 FCAA BFFC 8DD3 C06D D6B0
-The following paragraphs describe the procedure, preconditions
-and possible results of me signing data or keys.
+I live in Bangalore, India. and I am open to sign keys at any time. The easiest way
+for verifying keys would be to meet me here in Bangalore. Another opportunity to get
+in personal contact would be to address me at certain computer related confs (FOSS.in, DroidCon etc). I am also listed at biglumber.com, a webpage about key signing coordination.
-Only some emails from my UID are signed. But if you really want
-to be sure that the mail/note is from me then it has to be signed by me.
+Prerequisites for signing:
+The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (like http://keyserver.ubuntu.com).
+The signee must prove his/her identity to me by way of a valid identity card or a valid driving licence. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee's key must feature his/her real name in order to be checked up on his/her identity card.
- For signing keys, I use the same key as for signing data. To ensure the
- validity of the web of trust, I stick strictly to the following points:
+The signee should have prepared a strip of paper with a printout of the output
- * In most cases, personal validation is required to obtain a signature from
- me. Personal validation means that a government issued document containing the
- full name and a photo must be presented to me at an eye-to-eye meeting.
- * Fingerprints and UIDs of the key(s) to be signed must be provided in a re-
- liable and readable way. During personal validation, a printed version of
- all UIDs and the key fingerprint should be provided.
- * In rare cases, I also sign keys without personal validation. This is only possible if
- I know you for a long time and I am really really sure that the key belongs to you.
- * In rare cases, names can be signed that cannot be verified with any document.
- This is the case for well-known nicknames in the FOSS community.
- * A sig3 is only issued to keys of people whom I ultimately trust on a human
- basis, this is limited to close friends and people that have proven reliabi-
- lity and knowledge of the web of trust in other areas (like, but not limited
- * In order to obtain a sig3, basic knowledge of these terms should be shown.
+ gpg --fingerprint 0x12345678
-This document is a draft and will be extended over time, without rendering the
-current content invalid.
+(or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed.
-This notes itself was inspired by http://dominik-george.de/gpg-policy.txt.asc
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
+After having received (or exchanged) the proof detailed in the above I will sign the signee's piece of paper myself to avoid fraud.
------END PGP SIGNATURE-----
+At home I will sign the UIDs which I was asked to sign. Each signature will then be mailed separately to the corresponding mail address of the single UIDs.
+The following paragraphs describe the procedure, preconditions and possible results of me signing data or keys.
+This level will only be given to people I know long enough to be absolutely sure of their identity. Mostly friends, family and long term co-workers will receive this level of signature.
+I have met the signee, I have verified his/her identity card and fingerprint and I was able to send my signatures encrypted with the corresponding key of the signee.
+A level of 1 will never be used by me for it weakens the web of trust in my opinion. I have never signed keys without appropriate verification and I will never do so in the future.
+A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.