Fabrizio Tarizzo OpenPGP Key Usage Policy

Issued: July 28, 2008


This document establishes the usage and security policy for the following OpenPGP key:

pub   4096R/E90C6E2B 2008-07-19
      Key fingerprint = 478F A2A0 1D61 3A7F 4835  AD6E 8FA2 40F6 E90C 6E2B
uid                  Fabrizio Tarizzo <fabrizio(%)fabriziotarizzo.org>
uid                  Fabrizio Tarizzo <fabrizio(%)linux.it>
uid                  Fabrizio Tarizzo <fabrizio-ml(%)fabriziotarizzo.org>
sub 2048R/FF2509AC 2008-07-19 [expires: 2009-07-19]
sub 2048g/DC9EBD07 2008-07-19 [expires: 2009-07-19]

This policy is valid from 2008-08-01 and conforms to generally accepted security principles and practices of the OpenPGP users community.

The key certifications and electronic signatures created using the OpenPGP key listed above are not non-repudiable legally-binding qualified signatures, at least according to the Italian Law.

Key components

The primary ("Master") key

The master key is an high-security sign-and-certify 4096 bits RSA key, generated on 2008-07-19 on a clean Ubuntu GNU/Linux system using gnupg 1.4.6.

The secret part of the master key is stored on an encrypted removable media. A backup copy is stored, encrypted, on a WORM media. The main copy and the backup copy are kept in two different secure places. Both copies are protected with a strong passphrase. It is only used on a desktop computer with no remote network access and limited physical access.

The master key has no expiration and is only used for:

  1. collect other people's certifications;
  2. certify other people's keys, following the policy established in my key certification policy;
  3. sign usage and certification policies, certification notes and other key management related documents;
  4. generate, renew, revoke and self-certify User IDs and subkeys bound to the master key.

The master key is, of course, immediately revoked in case of loss, theft or suspected compromise of the secret key.

The subkeys

Two or more subkeys (at least one signing key and one encryption key) are bound to the master key. These subkeys are used for signature and encryption operations in everyday communications.

Subkeys are long not less than 2048 bits and have an expiration period of one year, renewed every year if the secrecy and integrity of the subkey are not suspected to be compromised.

Subkeys are, of course, immediately revoked in case of loss, theft or suspected compromise of the secret key.

The User IDs

The key is currently bound to these three User IDs:

Fabrizio Tarizzo <fabrizio(%)fabriziotarizzo.org>
This e-mail address is user for regular communication.
Fabrizio Tarizzo <fabrizio-ml(%)fabriziotarizzo.org>
This e-mail address is used on mailing lists.
Fabrizio Tarizzo <fabrizio(%)linux.it>
This e-mail address is used for formal communications within the Italian Linux Society.

Key preferences

Perferred keyserver
My preferred keyserver is keyserver.linux.it. If you use the no-honor-keyserver-url GnuPG option (or equivalent option in other OpenPGP software), please make sure to use an up-to-date keyserver. Many keyservers are still using very old and buggy releases of PKS software and does not correctly handle keys with multiple subkeys. The keyservers that can handle multiple subkeys are summarized as subkeys.pgp.net. Consider to set subkeys.pgp.net as your default keyserver and to add the repair-pks-subkey-bug option to your GnuPG configuration.
Preferred algorithms

Encryption: AES256, AES192, AES, TWOFISH, CAST5, 3DES.

Digest: SHA256, SHA384, SHA512, RIPEMD160, SHA1.

Compression: BZIP2, ZLIB, ZIP, Uncompressed.

Related documents


Signature of this document