Public Keys

My key for e-mail/data signing and encryption

My key for keysigning

External public keyservers

If you want to find public keys of other people or publish you own public key, you can use e.g. one of these public keyserver adresses:

(Above statistics and trustpath calculations by Henk Penning.)

Policy

My (key)signing policy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This policy is digitally signed by my key B0E4BF99 starting from this line. Only when it verifies successfully the text is (very likely to be) identical to the version I composed.


OpenPGP - Policy

This policy is valid for signatures created after 2006-07-22. (Look at "Change Log" for policies for signatures created before this date.)

Digital e-mail/file signatures:

I sign (almost) all e-mail I send digitally. So any e-mail, that seems to originate from me, but that is not signed with my digital key, can be considered to be forged in the first instance.

My actual key for signatures and encryption of e-mail and files is:


pub   1024D/B0E4BF99 2002-10-23
uid                  Peter L. Smilde <smilde_at_terrasys.de>
uid                  Peter L. Smilde <peter.smilde_at_smilde-becker.net>
uid                  Peter L. Smilde <smilde_at_terrasysgeo.com>

The file which is linked to http://www.smilde-becker.net/pls/OpenPGP/B0E4BF99-policy.txt is identical to this policy file; as any http://www.smilde-becker.net/pls/OpenPGP/XXXXXXXX-policy.txt files, where XXXXXXXX is the short KeyID of signing subkeys of this key.

Keysigning signatures:

I sign keys of people I know personally within a social context, after a possibly arbitrary reduced keysigning procedure (s. below), with signature class 3.

I sign keys of other people after the complete keysigning procedure (s. below) with signature class 2.

I sign keys of organizations (e.g. Certification Authorities, CA's) after a possibly arbitrary reduced keysigning procedure with signature class 0, when I have have checked that the organization (1) handles the key "carefully", (2) has an OpenPGP-policy similar to mine, (3) is publicly known under the name listed in the UID, (4) has published the key (fingerprint) officially, (5) has used the key on my request, and that (6) the fingerprint of this used key matches the fingerprint of the published key.

I never sign with signature class 1.

My actual key for key signatures is:


pub   1024D/FC796E69 2003-05-12
      Key fingerprint = 1AC3 4A8B 5655 22AE 7E5C  1021 A17A E4D9 FC79 6E69
uid                  Peter L. Smilde (signature only) <peter.smilde_at_smilde-becker.net>

The file which is linked to http://www.smilde-becker.net/pls/OpenPGP/FC796E69-policy.txt is identical to this policy file.

Keysigning procedure:

  1. Exchange fingerprints of the keys to be signed.
  2. Check fingerprints, UID's, identity card/passport.
  3. Exchange "challenges" (random text) on a slip of paper.
  4. Send these "challenges" signed (with all keys to be signed) and encrypted (obligatory if more than one key has to be signed, optionally otherwise) back by e-mail.
  5. Exchange encrypted new "challenges" (random text) by e-mail, once for every key to be signed and once for every e-mail address in the UID's.
  6. Send these "challenges" signed (with all keys to be signed) and encrypted (optionally) back by e-mail.
  7. When everything is checked successfully, send the signed key to its owner by e-mail.

Steps 4/5 can be combined by one of the participants and steps 5/6 by the other one.


Peter L. Smilde

2008-02-29


Change log:

2009-03-07

No changes in the procedure itself, just changed XHTML tags for PGP attachments.

2008-02-29

No changes in the procedure itself, just added a UID to key B0E4BF99.

2006-10-24

No changes in the procedure itself, just changed formatting and added XHTML tags.

2006-07-31

Added that the encryption of the returned "challenges" can be obligatory (step 4) or optional (step 4 and 6).

I have made no public signatures before, with a procedure that was conflicting with this version of the policy.

2006-07-22

No changes in the procedure itself, only textual improvements:

I have made no public signatures before, with a procedure that was conflicting with this version of the policy.

2005-06-30

(still available)

Initial version.

I have made no public signatures before, with a procedure that was conflicting with this version of the policy.


This policy is digitally signed by my key B0E4BF99 up to this line.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQENBAEBAgB3BQJJskbdPRpodHRwOi8vd3d3LnNtaWxkZS1iZWNrZXIubmV0L3Bs
cy9PcGVuUEdQL0E3MjVCMDEyLXBvbGljeS50eHQyGGh0dHA6Ly93d3cuc21pbGRl
LWJlY2tlci5uZXQvcGxzL09wZW5QR1AvQTcyNUIwMTIACgkQ4CNGEKclsBIEngP/
Uh/FXvmAYKQBkK8F0SNhdAud/sqk3OWfaNhRmCi4wO3yNBTKNKHBm4DxeOQDgkjg
UMBSaInOL7F+H2i43cmqDn9c8vRP0kEyec9N2F8DfhYQAvWb3WEEfiHy1SBU/ecZ
vH3RVHnCktBH+yQI/5P+KSuBKx+pzGUYfAXW5RQCNf0=
=ntZJ
-----END PGP SIGNATURE-----
				

Policy verification procedure

for the suspicious ones

You can verify the intactness and the author of this policy text by the following procedure:

Remark about keysigning

Remark about keysigning and the Web of Trust

If

than you might rely on the Web of Trust (i.e. the key signatures of people you trust), to be confident, that this key really belongs to "Alice".

But be aware: There might be more than one "Alice" (there is actually more than one "Peter L. Smilde")!

So, even if many persons you trust have signed a key of any "Alice" after careful checking, the signed key might belong to a different physical "Alice", than the one you intended to communicate with.

You should check if the signed key belongs to the correct Alice by:

The best solution is, of course, to carry out a personal keysigning procedure.