OpenPGP Signing Policy of Fabrizio Tarizzo ver. 0.1
This policy is valid from March 16, 2006 for all signatures made by the following GnuPG key:
pub 1024D/F1E8E6E4 2003-03-21 Key fingerprint = 67FE D145 9428 0231 47A0 23F7 3235 7A45 F1E8 E6E4 uid Fabrizio Tarizzo <fabrizio!fabriziotarizzo.org> uid Fabrizio Tarizzo <fabrizio-ml!fabriziotarizzo.org> uid Fabrizio Tarizzo <fabryt!yahoo.it> uid Fabrizio Tarizzo (Jabber account) <bluviolin!jabber.linux.it> uid Fabrizio Tarizzo <fabrizio!linux.it> sub 2048g/8CF7A15B 2003-03-21
I live near Asti and I work in Torino (Italy). I am open to sign keys at any time. The easiest way for verifying keys would be to meet me here in Asti or Torino. Another opportunity to get in personal contact would be to address me at certain computer related events in Italy. I am also listed at biglumber.com, a web site about key signing coordination.
Prerequisites for signing
The signee (i.e. the key holder who wishes to obtain a signature from me, the signer) must make his/her OpenPGP public key available on a publicly accessible keyserver. My default keyserver is
The signee should have prepared a strip of paper with a printout of the output
gpg --list-keys --with-fingerprint KEY-ID
(or equivalent command if you’re not using GnuPG), where
KEY-ID is the key ID of the key that is to be signed. A hand-written sheet featuring all user ID’s the signee wants me to sign and the fingerprint will also be accepted.
The signee should be willing to cross-sign with me.
I never sign someone’s key without having met him or her in person.
The signee must prove his/her identity to me by way of a national ID card, a driver’s licence, a passport or a similar token. The token must feature a photographic picture of the signee.
The signee should also sign the strip of paper with the fingerprint printout in my presence. For efficiency, exceptions will be accepted on larger keysigning parties.
The act of signing
At home, I will
- import a clean version of the key from a publicly accessible keyserver;
- check if the key fingerprint matches the one I received from the signee;
- send one email to each of the mail addresses featured in the user ID’s that I was asked to sign. They contain random strings and will be signed by me and encrypted to the public key whose fingerprint is printed on the paper.
Upon reception of encrypted replies, I will check the returned random string for equality with what I sent. The reply must be signed with the key that I was asked to certify and encrypted to my public key.
User IDs that pass the above test are signed. If one of the user IDs fails the test, a warning is sent to one of the other userID’s addresses and the procedure is halted until a satisfactory explanation has been received.
When all of the User IDs passes the challenge/response test, the signed keyblock is uploaded to a randomly chosen set of keyservers. The signee may hint on what key server or choose to receive it through mail instead.
Trace the path to/from my keys
I will sign keys using one of these signature classes:
- Level 3 (key ownership has been carefully verified)
- Used for sign-and-encrypt keys which successfully pass all the checks: I have met the signee, I have verified his/her identity card and fingerprint and his/her reply to my verification mails (being sent to the UIDs) has been correct. These signatures are the strongest in my web of trust.
- Level 2 (key ownership has been casually verified)
- Used for sign-only keys, where the challenge/response test was not possible.
- Level 0 (Undefined)
- Used to sign keys belonging not to persons but to groups or organisations.
- My public key
- My biglumber.com listing
- Statistics of my key in the pathfinder by Henk P. Penning
- msd graph and rank graph in a report by Thomas Butter
- key statistics in the wotsap analysis by Jörgen Cederlöf
- key statistics in the key analysis by Jason Harris
The Trace the path utility is by Henk P. Penning.