Thejesh GN avatar Thejesh GN committed acf5632

updated gpg-policy

Comments (0)

Files changed (2)

 from fabric.contrib.files import sed
 from fabric.operations import prompt
 
-env.user = 'thej'
-
 def publish(file):
     local('s3cmd put --acl-public '+file+' s3://text.thejeshgn.com/'+file)
     print(green("Published! - check http://text.thejeshgn.com/"+file))
 
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
+This policy is valid for all signatures made by the following GnuPG keys:
+=========================================================================
 Thejesh GN <i@thejeshgn.com>
 Fingerprint: C7D4 1911 9893 ADAF 27B0 FCAA BFFC 8DD3 C06D D6B0
 
-GnuPG Signature Policy
-======================
-The following paragraphs describe the procedure, preconditions 
-and possible results of me signing data or keys.
 
- Data or Email Signing
- ============
+Location:
+=========
+I live in Bangalore, India. and I am open to sign keys at any time. The easiest way 
+for verifying keys would be to meet me here in Bangalore. Another opportunity to get 
+in personal contact would be to address me at certain computer related confs (FOSS.in, DroidCon etc). I am also listed at biglumber.com, a webpage about key signing coordination.
 
-Only some emails from my UID are signed. But if you really want
-to be sure that the mail/note is from me then it has to be signed by me.
+Prerequisites for signing:
+==========================
+The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (like http://keyserver.ubuntu.com).
 
- Key Signing
- ===========
+The signee must prove his/her identity to me by way of a valid identity card or a valid driving licence. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee's key must feature his/her real name in order to be checked up on his/her identity card. 
 
- For signing keys, I use the same key as for signing data. To ensure the
- validity of the web of trust, I stick strictly to the following points:
+The signee should have prepared a strip of paper with a printout of the output
 
-   * In most cases, personal validation is required to obtain a signature from
-     me. Personal validation means that a government issued document containing the
-     full name and a photo must be presented to me at an eye-to-eye meeting.
-   * Fingerprints and UIDs of the key(s) to be signed must be provided in a re-
-     liable and readable way. During personal validation, a printed version of
-     all UIDs and the key fingerprint should be provided.
-   * In rare cases, I also sign keys without personal validation. This is only possible if 
-     I know you for a long time and I am really really sure that the key belongs to you.
-   * In rare cases, names can be signed that cannot be verified with any document.
-     This is the case for well-known nicknames in the FOSS community.
-   * A sig3 is only issued to keys of people whom I ultimately trust on a human
-     basis, this is limited to close friends and people that have proven reliabi-
-     lity and knowledge of the web of trust in other areas (like, but not limited
-     to, CAcert, etc.).
-   * In order to obtain a sig3, basic knowledge of these terms should be shown.
+  gpg --fingerprint 0x12345678
 
 
-This document is a draft and will be extended over time, without rendering the
-current content invalid.
+(or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed.
 
-This notes itself was inspired by http://dominik-george.de/gpg-policy.txt.asc
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
+The act of signing:
+===================
+After having received (or exchanged) the proof detailed in the above I will sign the signee's piece of paper myself to avoid fraud.
 
-iQIcBAEBAgAGBQJQA/bzAAoJEL/8jdPAbdawQJoQAKWrhvD662k2hrLUy+RYnhVL
-+V9A/cERYe9WxlLaGgjGmMF1u56RsSG+FBKvStE9T1llTLolzhP0ISk/f6Gl08uq
-mF/u7od2dmTtkV3odgMDzCFQMUrlaMpvJDbN6j6s+oz7Jy6azgxR3MpARMXEwJj/
-ZWkovkgnPsY3AR02UUXo5ZqAr74N6vFjmasCH05dgmUJ4rKLamJx8uTXLLqh1XFz
-YVft8AIlWBcBuSDeWO452Y3v2CoRAHaBeh7Cd2Dtb166YvS96eL4meja43eubNr4
-lwLggzlvIRc+DVrSsvelpnY/e8s4mEISh7UtPgFt5ESIaKZyrqh/KsGsXcJnTVgT
-4TwXLGWgV+Sf9EgDsIxcbvMQFiNrUA8tm/fn+JTUuS1IUnzhyjE528W00s5rqoMs
-utB6VM/d3Hcr/eTiISh0ufemBAPxIi4RhDQ/tlP/r4kcDojm8PzA97zL54yYxmhQ
-0M0EA+nOcgCyboHRBc4qtLsPK1b/t1LPv3D3WJoGaSTbjKqImd8JgdG3eYexe5mf
-msIq65eIY2LIfQzOdPsTvdx1Xi65+MuiFKB86UASg5EY+s9A3o+yNxk3Z6PN/T4+
-oDgr39CbmoFrp8irZPqClybhQkCtNQ8W8sU63qyV6iNMLFlvY/8InH9BuN9xEoFs
-8q2A9ctHjl6Ca95Of7cc
-=BZJK
------END PGP SIGNATURE-----
+At home I will sign the UIDs which I was asked to sign. Each signature will then be mailed separately to the corresponding mail address of the single UIDs.
 
+The following paragraphs describe the procedure, preconditions and possible results of me signing data or keys.
+
+Key Signing
+===========
+
+Level 3
+This level will only be given to people I know long enough to be absolutely sure of their identity. Mostly friends, family and long term co-workers will receive this level of signature.
+
+Level 2
+I have met the signee, I have verified his/her identity card and fingerprint and I was able to send my signatures encrypted with the corresponding key of the signee. 
+
+Level 1
+A level of 1 will never be used by me for it weakens the web of trust in my opinion. I have never signed keys without appropriate verification and I will never do so in the future.
+
+Level 0
+A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.
+
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.