v1.0.1, Aug 08 2005
This policy is valid for all signatures made by the following GnuPG keys:
pub 1024D/0xC007255B 2001-10-29 uid Stephane Clodic (/SClo) <sclo!rapsody.com> uid Stephane Clodic (France-Teaser) <sclo!teaser.fr> uid Stephane Clodic (Retiaire) <sclo!retiaire.org> uid Stephane Clodic (France-Teaser) <sclodic!teaser.fr> sub 1024g/0x25934D76 2001-10-29 sub 4096g/0x3122EC26 2005-07-21 sub 4096R/0x2C5FE03F 2005-07-21 pub 1024D/0x2D733A3E 2005-02-06 uid Stephane Clodic (Retiaire) <sclo!retiaire.org> sub 4096g/0xA3A50BC8 2005-02-06 sub 4096R/0xC2CCF3DF 2005-07-17
Please note that the key
0xC007255B contains the revoked UIDs
<stephane.clodic!cegetel.net> which are no longer valid.
To prevent spam the mail addresses in the UIDs from above are obfuscated on this web page (replace "!" with "@"). In the keys the real addresses are used.
These two keys will always be available on this page but the most current versions can usually be fetched from keyservers like pgpkeys.telering.at. You can get
0xC007255B here and
This policy was originally written on 2005-05-17 and will be followed from this date on but it may be replaced with a new version at any time. Content and structure of this document are strongly based on the OpenPGP Key Signing Policy of Marc Mutz and Jörgen Cederlöf but have been slightly modified from the original sources.
I live in Paris (France) and I am open to sign keys at any time. The easiest way for verifying keys would be to meet me here in Paris. Another opportunity to get in personal contact would be to address me at certain computer related fairs. I am also listed at Biglumber.com, a webpage about key signing coordination.
The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (see above for example keyservers).
The signee must prove his/her identity to me by way of a valid identity card or a valid driving licence or passport. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee's key must feature his/her real name in order to be checked up on his/her identity card. A key which only contains a pseudonym will not be signed.
The signee should have prepared a strip of paper with a printout of the output
gpg --fingerprint 0x12345678
(or an equivalent command if the signee does not use GnuPG) where
0x12345678 is the key ID of the key which is to be signed.
A handwritten piece of paper featuring the fingerprint and all UIDs the signee wants me to sign will also be accepted.
The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on).
I prefer to have keys cross-signed so it does not make sense to ask me for signing keys if the signee is not willing to sign mine in return. Therefore I may use Biglumber's Key Exchange Service to ensure both parties get their keys exchanged simultaneously.
After having received (or exchanged) the proof detailed in the above I will sign the signee's piece of paper myself to avoid fraud.
At home I will send one e-mail to each of the mail addresses which are listed in the UIDs which I was asked to sign. These verification mails contain random strings and will be signed by me and encrypted to the public key whose fingerprint is printed on the sheet.
Upon reception of encrypted and signed replies I will check the returned random string for equality with what I sent.
UIDs which pass the above test are going to be signed. If one of the UIDs fails the test a warning will be sent to one of the other mail addresses and the procedure will be halted until a satisfactory explanation has been received or the procedure has been cancelled by the signee.
The signed keyblock will then be uploaded to a randomly chosen set of keyservers after I have received my signed keys at first. The signee can get it from there or choose to receive it through mail instead. It should be obvious that I expect the signee to sign my keys without any avoidable delay. The signee can either upload my keys to a keyserver or send it back to me by e-mail.
Depending on the character of the key which is to be signed by me I will use different levels of signatures:
You can use the pathfinder of http://skylane.kjsl.com/~jharris/ which gives you a simple text printout:
If you like graphics you surely want to try out Jörgen's Wotsap:
Here are some links which you may find useful or interesting:
Copyright (c) 2005 - present Stephane Clodic.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
|Stephane Clodic <sclo (at) rapsody (dot) com> Last modified:|
-----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJHH6GsAAoJENQl/iAsX+A/w7oQAKWf3LPDw29ZOP+dXeypX/pv 9for1y4JexScB3TvK9Hq2F+nPze66gD0ebV4GJ+qLIk+Zi0Lc8a/2wsQUeYBW6Vm TAXmWqlo+dfJ0QKNEz7EX3HtiJpBbubgWy9ZEzik2IPyCKA81PSbKss76I4B4GI5 MtAkNIaFMCr3YCQx4vQ2XCZaVNEU/ACO7ALpNjffLK0lmF9SsYFe0kjrOHR4HWkH 8K4vrPHetZqzzx5fzb3I9PkhfB+Ro8J04VVd9k3oPBiZbeL4UbnL4ibPBwP/Ko0I BDUSmlDXxDVWCR/a/BNMeo0SuS/YWETpaYl/3Ct6EFiCT6cCum2Czh+6V+JUPN2h el7/q923QhTc2+ZsG60W9H87Wt8MkCtEUlnZ/tOGvMvWg3y+V8UQBN5SpJmCxqoa BPfKwS/+PgvuI7QU8B0gn6I4hnIXW3yrsxOx53fyXBXYugL7piQhtX2RyIvLMNaG h1PJmNNm4hOqS+9R9Ak/jNvCff4RunSrCxKFMZfBM5JCAiB4B07bHzCTB510UhA1 oSZ0wkMSohEgoN3NQIb2AwlP9knaZ49I2lBle1/8F26IT1VFPe63MX3grPV4C8Zq Tp690FO0l6cdcg5lmueZ5l86hBvrZL3Dgp37klqm6W1PRk/RBcBML8cd/2Z5+C9d FbLChzJXvttrpI5x6vlg =mrzy -----END PGP SIGNATURE-----