Thejesh GN committed acf5632

updated gpg-policy

  • Participants
  • Parent commits 21396f9

Comments (0)

Files changed (2)

 from fabric.contrib.files import sed
 from fabric.operations import prompt
-env.user = 'thej'
 def publish(file):
     local('s3cmd put --acl-public '+file+' s3://'+file)
     print(green("Published! - check"+file))
-Hash: SHA1
+This policy is valid for all signatures made by the following GnuPG keys:
 Thejesh GN <>
 Fingerprint: C7D4 1911 9893 ADAF 27B0 FCAA BFFC 8DD3 C06D D6B0
-GnuPG Signature Policy
-The following paragraphs describe the procedure, preconditions 
-and possible results of me signing data or keys.
- Data or Email Signing
- ============
+I live in Bangalore, India. and I am open to sign keys at any time. The easiest way 
+for verifying keys would be to meet me here in Bangalore. Another opportunity to get 
+in personal contact would be to address me at certain computer related confs (, DroidCon etc). I am also listed at, a webpage about key signing coordination.
-Only some emails from my UID are signed. But if you really want
-to be sure that the mail/note is from me then it has to be signed by me.
+Prerequisites for signing:
+The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (like
- Key Signing
- ===========
+The signee must prove his/her identity to me by way of a valid identity card or a valid driving licence. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee's key must feature his/her real name in order to be checked up on his/her identity card. 
- For signing keys, I use the same key as for signing data. To ensure the
- validity of the web of trust, I stick strictly to the following points:
+The signee should have prepared a strip of paper with a printout of the output
-   * In most cases, personal validation is required to obtain a signature from
-     me. Personal validation means that a government issued document containing the
-     full name and a photo must be presented to me at an eye-to-eye meeting.
-   * Fingerprints and UIDs of the key(s) to be signed must be provided in a re-
-     liable and readable way. During personal validation, a printed version of
-     all UIDs and the key fingerprint should be provided.
-   * In rare cases, I also sign keys without personal validation. This is only possible if 
-     I know you for a long time and I am really really sure that the key belongs to you.
-   * In rare cases, names can be signed that cannot be verified with any document.
-     This is the case for well-known nicknames in the FOSS community.
-   * A sig3 is only issued to keys of people whom I ultimately trust on a human
-     basis, this is limited to close friends and people that have proven reliabi-
-     lity and knowledge of the web of trust in other areas (like, but not limited
-     to, CAcert, etc.).
-   * In order to obtain a sig3, basic knowledge of these terms should be shown.
+  gpg --fingerprint 0x12345678
-This document is a draft and will be extended over time, without rendering the
-current content invalid.
+(or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed.
-This notes itself was inspired by
-Version: GnuPG v1.4.11 (GNU/Linux)
+The act of signing:
+After having received (or exchanged) the proof detailed in the above I will sign the signee's piece of paper myself to avoid fraud.
+At home I will sign the UIDs which I was asked to sign. Each signature will then be mailed separately to the corresponding mail address of the single UIDs.
+The following paragraphs describe the procedure, preconditions and possible results of me signing data or keys.
+Key Signing
+Level 3
+This level will only be given to people I know long enough to be absolutely sure of their identity. Mostly friends, family and long term co-workers will receive this level of signature.
+Level 2
+I have met the signee, I have verified his/her identity card and fingerprint and I was able to send my signatures encrypted with the corresponding key of the signee. 
+Level 1
+A level of 1 will never be used by me for it weakens the web of trust in my opinion. I have never signed keys without appropriate verification and I will never do so in the future.
+Level 0
+A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.