Issued: July 28, 2008
This document establishes the usage and security policy for the following OpenPGP key:
pub 4096R/E90C6E2B 2008-07-19 Key fingerprint = 478F A2A0 1D61 3A7F 4835 AD6E 8FA2 40F6 E90C 6E2B uid Fabrizio Tarizzo <fabrizio(%)fabriziotarizzo.org> uid Fabrizio Tarizzo <fabrizio(%)linux.it> uid Fabrizio Tarizzo <fabrizio-ml(%)fabriziotarizzo.org> sub 2048R/FF2509AC 2008-07-19 [expires: 2009-07-19] sub 2048g/DC9EBD07 2008-07-19 [expires: 2009-07-19]
This policy is valid from 2008-08-01 and conforms to generally accepted security principles and practices of the OpenPGP users community.
The key certifications and electronic signatures created using the OpenPGP key listed above are not non-repudiable legally-binding qualified signatures, at least according to the Italian Law.
The master key is an high-security sign-and-certify 4096 bits RSA key, generated on 2008-07-19 on a clean Ubuntu GNU/Linux system using gnupg 1.4.6.
The secret part of the master key is stored on an encrypted removable media. A backup copy is stored, encrypted, on a WORM media. The main copy and the backup copy are kept in two different secure places. Both copies are protected with a strong passphrase. It is only used on a desktop computer with no remote network access and limited physical access.
The master key has no expiration and is only used for:
The master key is, of course, immediately revoked in case of loss, theft or suspected compromise of the secret key.
Two or more subkeys (at least one signing key and one encryption key) are bound to the master key. These subkeys are used for signature and encryption operations in everyday communications.
Subkeys are long not less than 2048 bits and have an expiration period of one year, renewed every year if the secrecy and integrity of the subkey are not suspected to be compromised.
Subkeys are, of course, immediately revoked in case of loss, theft or suspected compromise of the secret key.
The key is currently bound to these three User IDs:
no-honor-keyserver-urlGnuPG option (or equivalent option in other OpenPGP software), please make sure to use an up-to-date keyserver. Many keyservers are still using very old and buggy releases of PKS software and does not correctly handle keys with multiple subkeys. The keyservers that can handle multiple subkeys are summarized as subkeys.pgp.net. Consider to set subkeys.pgp.net as your default keyserver and to add the
repair-pks-subkey-bugoption to your GnuPG configuration.
Encryption: AES256, AES192, AES, TWOFISH, CAST5, 3DES.
Digest: SHA256, SHA384, SHA512, RIPEMD160, SHA1.
Compression: BZIP2, ZLIB, ZIP, Uncompressed.