-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

This policy is digitally signed by my key 5F993CAE starting from this line. Only when it verifies successfully the text is (very likely to be) identical to the version I composed.


OpenPGP - Policy

This policy is valid for signatures created after 2006-07-22. (Look at "Change Log" for policies for signatures created before this date.)

Digital e-mail/file signatures:

I sign (almost) all e-mail I send digitally. So any e-mail, that seems to originate from me, but that is not signed with my digital key, can be considered to be forged in the first instance.

My actual key for signatures and encryption of e-mail and files is:


pub   rsa4096 2018-05-16
      AC91 7B95 D100 6A22 1BED  3C2E 0614 7FE5 5F99 3CAE
uid                      Peter L. Smilde <smilde(a)terrasysgeo.com>
uid                      Peter L. Smilde <peter.smilde(a)smilde-becker.net>
uid                      Peter L. Smilde <smilde(a)terrasysgeo.de>

My previous key, which was revoked 2018-06-19, used for signing, was:


pub   dsa1024 2002-10-23 [SC] [revoked: 2018-06-19]
      4B63 016E DC04 56AE 7C86  7DA3 142B 50CE B0E4 BF99
uid                      Peter L. Smilde <smilde(a)terrasys.de>
uid                      Peter L. Smilde <peter.smilde(a)smilde-becker.net>
uid                      Peter L. Smilde <smilde(a)terrasysgeo.com>

The file which is linked to http://www.smilde-becker.net/pls/OpenPGP/5F993CAE-policy.txt is identical to this policy file; as any http://www.smilde-becker.net/pls/OpenPGP/XXXXXXXX-policy.txt files, where XXXXXXXX is the short KeyID of signing subkeys of this key.

Keysigning signatures:

I sign keys of people I know personally within a social context, after a possibly arbitrary reduced keysigning procedure (s. below), with signature class 3.

I sign keys of other people after the complete keysigning procedure (s. below) with signature class 2.

I sign keys of organizations (e.g. Certification Authorities, CA's) after a possibly arbitrary reduced keysigning procedure with signature class 0, when I have have checked that the organization (1) handles the key "carefully", (2) has an OpenPGP-policy similar to mine, (3) is publicly known under the name listed in the UID, (4) has published the key (fingerprint) officially, (5) has used the key on my request, and that (6) the fingerprint of this used key matches the fingerprint of the published key.

I never sign with signature class 1.

My actual key for key signatures is:


pub   1024D/FC796E69 2003-05-12
      Key fingerprint = 1AC3 4A8B 5655 22AE 7E5C  1021 A17A E4D9 FC79 6E69
uid                  Peter L. Smilde (signature only) <peter.smilde_at_smilde-becker.net>

The file which is linked to http://www.smilde-becker.net/pls/OpenPGP/FC796E69-policy.txt is identical to this policy file.

Keysigning procedure:

  1. Exchange fingerprints of the keys to be signed.
  2. Check fingerprints, UID's, identity card/passport.
  3. Exchange "challenges" (random text) on a slip of paper.
  4. Send these "challenges" signed (with all keys to be signed) and encrypted (obligatory if more than one key has to be signed, optionally otherwise) back by e-mail.
  5. Exchange encrypted new "challenges" (random text) by e-mail, once for every key to be signed and once for every e-mail address in the UID's.
  6. Send these "challenges" signed (with all keys to be signed) and encrypted (optionally) back by e-mail.
  7. When everything is checked successfully, send the signed key to its owner by e-mail.

Steps 4/5 can be combined by one of the participants and steps 5/6 by the other one.


Peter L. Smilde

2019-08-10


Change log:

2019-08-10

No changes in the procedure itself. Activated new key 5F993CAE and revoked key B0E4BF99.

2009-03-07

No changes in the procedure itself, just changed XHTML tags for PGP attachments.

2008-02-29

No changes in the procedure itself, just added a UID to key 5F993CAE.

2006-10-24

No changes in the procedure itself, just changed formatting and added XHTML tags.

2006-07-31

Added that the encryption of the returned "challenges" can be obligatory (step 4) or optional (step 4 and 6).

I have made no public signatures before, with a procedure that was conflicting with this version of the policy.

2006-07-22

No changes in the procedure itself, only textual improvements:

I have made no public signatures before, with a procedure that was conflicting with this version of the policy.

2005-06-30

(still available)

Initial version.

I have made no public signatures before, with a procedure that was conflicting with this version of the policy.


This policy is digitally signed by my key 5F993CAE up to this line.

-----BEGIN PGP SIGNATURE-----

iQKbBAEBCACFFiEEt8VuyvIPj4dJehwfjOtlTtl0HcUFAl1PR2I0Gmh0dHA6Ly93
d3cuc21pbGRlLWJlY2tlci5uZXQvcGxzL09wZW5QR1AvcG9saWN5LnR4dDIYaHR0
cDovL3d3dy5zbWlsZGUtYmVja2VyLm5ldC9wbHMvT3BlblBHUC9EOTc0MURDNQAK
CRCM62VO2XQdxSIjD/9YWOHnJVqwf6GRrC2+wSLuGf2g4TaHAJGBJLLeR0PyxGES
CXKTB85SE0RR1Xm3Nu6VmxG8v4DswvEnv+ew2O1DDmpi2fKuVzu6rqghxuNvUmIz
u2WLsg3XMGQoryStnYNuND84YZR1fbSfknqkt94PYEdfI4QSish795GzjlyAoEDd
ScxZA94CdkNv1srWQL+hwrn5LFJrkMV62yk9V/4g21msWpQS/dqI5VJ1JjK2Mnqc
XXvOj1KMW6urWXwCx7BU7IlNgsajHd33tVfwJxsSRKUk/p06sdv7px2jRMTK70Mt
4UoUcX7obn83fAW+Ll+ywa4/hIoxTK0QpMZ9HFeZQNLWforCED6cpyZuhKc60wDN
iP58tLZbnJ8jvfzNC5ln5yzwJD1AMwVl3XJkC+vmGEGEFuTjgZLOEJQixiWt/QW1
G8tW2BPddK1YBXrwG438LA9gyhQExm+2NQJUtakc76nRAnoUkqPncpIddiJ/JaP7
SmKkV2CvkDbE5NPip1fD9ow0/B3V6cEBWehC0mE6CZWOqAuOUXbQZCBpBufgtXOG
V6I0t4THJTEUcb+5IkvFiQ30ZtPoEVpJEqLlq4ab/gNT6pwMMQuJ0JnR+H+LCtAU
UJXZpTGOKNZVvnuX1E9wNXsZzjlIOSh8ISLNL4ingBR/7t99xXwNqWIeZ83+TA==
=DTXI
-----END PGP SIGNATURE-----