OpenPGP Signing Policy of Fabrizio Tarizzo ver. 0.1

Fabrizio Tarizzo


This policy is valid from March 16, 2006 for all signatures made by the following GnuPG key:

pub   1024D/F1E8E6E4 2003-03-21
      Key fingerprint = 67FE D145 9428 0231 47A0  23F7 3235 7A45 F1E8 E6E4
uid                  Fabrizio Tarizzo <fabrizio!>
uid                  Fabrizio Tarizzo <fabrizio-ml!>
uid                  Fabrizio Tarizzo <fabryt!>
uid                  Fabrizio Tarizzo (Jabber account) <bluviolin!>
uid                  Fabrizio Tarizzo <fabrizio!>
sub   2048g/8CF7A15B 2003-03-21


I live near Asti and I work in Torino (Italy). I am open to sign keys at any time. The easiest way for verifying keys would be to meet me here in Asti or Torino. Another opportunity to get in personal contact would be to address me at certain computer related events in Italy. I am also listed at, a web site about key signing coordination.

Prerequisites for signing

The signee (i.e. the key holder who wishes to obtain a signature from me, the signer) must make his/her OpenPGP public key available on a publicly accessible keyserver. My default keyserver is

The signee should have prepared a strip of paper with a printout of the output

gpg --list-keys --with-fingerprint KEY-ID

(or equivalent command if you’re not using GnuPG), where KEY-ID is the key ID of the key that is to be signed. A hand-written sheet featuring all user ID’s the signee wants me to sign and the fingerprint will also be accepted.

The signee should be willing to cross-sign with me.

Identity verification

I never sign someone’s key without having met him or her in person.

The signee must prove his/her identity to me by way of a national ID card, a driver’s licence, a passport or a similar token. The token must feature a photographic picture of the signee.

The signee should also sign the strip of paper with the fingerprint printout in my presence. For efficiency, exceptions will be accepted on larger keysigning parties.

The act of signing

At home, I will

  1. import a clean version of the key from a publicly accessible keyserver;
  2. check if the key fingerprint matches the one I received from the signee;
  3. send one email to each of the mail addresses featured in the user ID’s that I was asked to sign. They contain random strings and will be signed by me and encrypted to the public key whose fingerprint is printed on the paper.

Upon reception of encrypted replies, I will check the returned random string for equality with what I sent. The reply must be signed with the key that I was asked to certify and encrypted to my public key.

User IDs that pass the above test are signed. If one of the user IDs fails the test, a warning is sent to one of the other userID’s addresses and the procedure is halted until a satisfactory explanation has been received.

When all of the User IDs passes the challenge/response test, the signed keyblock is uploaded to a randomly chosen set of keyservers. The signee may hint on what key server or choose to receive it through mail instead.

Trace the path to/from my keys

to my key 0xF1E8E6E4

Signature levels

I will sign keys using one of these signature classes:

Level 3 (key ownership has been carefully verified)
Used for sign-and-encrypt keys which successfully pass all the checks: I have met the signee, I have verified his/her identity card and fingerprint and his/her reply to my verification mails (being sent to the UIDs) has been correct. These signatures are the strongest in my web of trust.
Level 2 (key ownership has been casually verified)
Used for sign-only keys, where the challenge/response test was not possible.
Level 0 (Undefined)
Used to sign keys belonging not to persons but to groups or organisations.



Content and structure of this document are strongly based on the OpenPGP Key Signing Policy of Marc Mutz and Jörgen Cederlöf.

The Trace the path utility is by Henk P. Penning.

Signature of this document