Fabrizio Tarizzo OpenPGP Key Certification Policy

Issued: July 28, 2008

Preamble

This policy is valid from Aug 1, 2008 for all key certifications made by the following OpenPGP key:

pub   4096R/E90C6E2B 2008-07-19
      Key fingerprint = 478F A2A0 1D61 3A7F 4835  AD6E 8FA2 40F6 E90C 6E2B
uid                  Fabrizio Tarizzo <fabrizio(%)fabriziotarizzo.org>
uid                  Fabrizio Tarizzo <fabrizio(%)linux.it>
uid                  Fabrizio Tarizzo <fabrizio-ml(%)fabriziotarizzo.org>

This policy conforms to generally accepted principles and practices of the OpenPGP users community.

Location

I live near Asti and I work in Torino (Italy). I am open to certify keys at any time. The easiest way for verifying keys would be to meet me here in Asti or Torino. Another opportunity to get in personal contact would be to address me at certain computer related events in Italy (my presence in these events is usually announced on my personal website). I am also listed at biglumber.com, a web site about key certification coordination.

Prerequisites for certification

The applicant (the key holder who wishes to obtain a key certification from me) must make his/her OpenPGP public key available on a publicly accessible keyserver. My default keyserver is keyserver.linux.it.

The applicant should have prepared a strip of paper with a printout of the output of

gpg --fingerprint KEY-ID

(or equivalent command if not using GnuPG), where KEY-ID is the key ID of the key that is to be certified. A hand-written sheet featuring all user ID’s the applicant wants me to certify and the fingerprint will also be accepted, if clearly readable.

By requesting the key certification, the applicant declares to know and approve this policy and generally accepted principles and practices of the OpenPGP users community and obliges himself/herself to take all reasonable precautions to prevent loss, disclosure or unauthorized use of his/her secret key(s) and to immediately revoke his/her public key in any case of loss or compromise of the secret key.

The entire process of identity verification and certificate issuing is run on a voluntary, free of charge and best effort basis. Although I take all reasonable measures in verifying the applicant's identity and preventing compromise or misuse of my secret certification keys, I cannot grant any legal warranty nor guarantees.

The OpenPGP Web of Trust follows he principle of reciprocity, so the applicant should be willing to cross-certify with me.

Identity verification

I never certify someone’s key without having met him or her in person.

The applicant must prove his/her identity to me by way of a national ID card, a driver's licence, a passport or a similar document. The document must feature a photographic picture of the applicant.

The act of certification

At home, I will:

  1. Import the applicant's key from a publicly accessible keyserver;
  2. check if the key fingerprint matches the one I received from the applicant;
  3. write and sign a short note about where and when I met the applicant and how I verified his/her identity, and publish it on my personal website (a link to the signed note and to this document will be attached as a cert-notation to the certification);
  4. certify the key using the caff utility. caff certifies each user ID separately and send the certificated key in an encrypted email to each of them. Certificates will not be sent to keyservers, it's an applicant responsibility to update his/her key on public keyservers.

Certification levels

I certify keys using these certification levels:

Level 3 (key ownership has been carefully verified)
Used for sign-and-encrypt keys which successfully pass all the checks: I have met the applicant in person and I have verified his/her identity card and fingerprint and the applicant has successfully received and deciphered the challenge/response test and sent the certified key to public keyservers. These certifications are the strongest in the Web of Trust.
Level 2 (key ownership has been casually verified)
Used when the applicant has only signing-keys and no encryption keys, where the challenge/response test with caff was not possible. I reserve to use this certification level also when I'm not familiar with the kind of presented document (i.e. foreign driver's licences, exotic countries passports or documents with very old photo).
Level 0 (Undefined)
Used to certify keys belonging not to persons but to groups or organisations.

Related documents

Links

Signature of this document

Credits

Content and structure of this document are strongly based on the OpenPGP Key Signing Policy of Marc Mutz and Jörgen Cederlöf.