Key Signing Policy for Sebastian Inacker.
http://www.inacker.de/gpg/policy.txt
Version 2009/09/09

pub  1024D/E05C21AF 2003-07-19 Sebastian Inacker <sebastian:inacker.de>
     Key fingerprint = 1B69 2B1B B62B 1789 AEEF  4F9D 6640 15D7 E05C 21AF
uid                            Sebastian Inacker <inacker:freiburg.linux.de>
uid                            Sebastian Inacker <inacker:members.ffis.de>
uid                            Sebastian Inacker <inacker:istya.de>
sub  1024g/689EB113 2003-07-19
sub  1024D/622349DC 2003-07-25

pub   4096R/992A935C 2009-08-16
      Key fingerprint = C5C6 1E08 1F39 1E48 798E  6CA5 5F31 C256 992A 935C
uid                  Sebastian Inacker <sebastian:inacker.org>
sub   4096R/961B4C72 2009-08-16

This policy is used for signatures made by my GnuPG keys 0xE05C21AF and
0x992A935C - starting from 2004/01/01. (Some signatures before this date 
were also made under the following conditions. No key was ever signed 
without checking the identity of the person and the fingerprint.)

Before I sign a key, I

  - verify the identity of the person owning the to-be-signed key by 
    looking at their identity card, equivalent official proof of identity 
    or (in very few cases only in the beginning and key 0xE05C21AF) by 
    knowing the person very good for a long time.
  - receive the key fingerprint from the key owner. This can be on a 
    piece of paper or the fingerprint could get confirmed by the 
    owner during a Key Signing Party.

A signature is always on an user id. By signing an user id, I confirmed
for myself, 

  - that the person, who gave me the fingerprint of that key, had the 
    claimed name - at the moment of identity check.

I do sign keys of persons from foreign countries as long as there is no
indication of fraud (detected by me).

Signatures by my GnuPG key(s) do not have any legal relevance.

Description of my use of trustlevels:

  sig3 - I have verified the identity and verified, that the e-mail address
         of the signed uid belongs/belonged to the person, who has/had 
	 control over the key. This is done by a challenge-response system 
	 or by sending the signed key to the corresponding user id 
	 (both via encrypted mail).

  sig2 - I have verified the identity - but not the e-mail address (for
         example because the key does not support encryption to it).

  sig1 - unused at the moment.

Signatures made by caff might not have any special trustlevel.
(Trustlevel would be "sig3".)


CHANGELOG

2005/06/26  Description of trustlevel sig3 changed. Analogously: Check for
  control over the key is done by (encrypted) challenge-response or (NEW)
  sending the signed key by encrypted mail to the owner.
  Changed named keyservers to subkeys.pgp.net / random.sks.keyserver.penguin.de
  Old policy: http://www.inacker.de/gpg/policy.until_20050626.txt

2009/08/24  Added new key 992A935C. Some clarifications on how I sign keys.
  Old policy: http://www.inacker.de/gpg/policy.until_20090909.txt