All signings will be made with the key 0x425DC4B9, which is available from this site, but also from most public keyservers. Additionally, signings with my communications keys can be arranged if desired.
The signee must prove his/her identity to me by way of a valid identity card, passport or driving license. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. Please note that I require that proof of identity even for people I know personally. This verification step is called "proof of identity".
The signee should have prepared a piece of paper featuring the key ID, fingerprint and all UIDs the signee wants me to sign. Handwritten notes are OK, but I'd rather prefer to get a nice, clean printout, as it's usually much easier to read.
Handing over proof of identity and fingerprint must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on). I reserve the right to refuse signing under inappropriate circumstances.
The public key to be signed should be available on the PGP key servers. If it is not available there, the signee is expected to hand me a copy of the public key, or point me to a place where I can obtain it. Failure to do so will result in not getting the key signed, as I obviously can't sign what I can't find. After having received the proof detailed in the above I will sign the signee's piece of paper myself to avoid fraud.
Verification of User-IDs: At home I will send one e-mail to each of the mail addresses which are listed in the UIDs which I was asked to sign. These verification mails contain random strings and will be signed by me and encrypted to the public key whose fingerprint is printed on the sheet. Upon reception of encrypted and signed replies I will check the returned random string for equality with what I sent. For sign-only-keys, the verification mail will only be signed, not encrypted. UIDs which pass the above test are going to be signed. If one of the UIDs fails the test a warning will be sent to one of the other mail addresses and the procedure will be halted until a satisfactory explanation has been received or the procedure has been cancelled by the signee. Keys with only partly verified UIDs will be deleted and cannot be signed. Please note that this only applies to email addresses - ICQ-IDs will not be signed, photos will be signed if I can recognize the person on the photo to be the signee. The signed keyblock will be sent to the primary email address of the key, and will also be published to one or more keyservers.
Master-Signature-Keys which don't contain an email address will be signed without a verification mail, but only if they contain the URL of a page that explains the signature policy of the key owner - please note that I recommend having a separate Email address for use with Master-Signature-Keys.
The key used to sign other peoples' keys is used only for signatures, not for encryption. A permanent copy of the secret key is stored only on a CD which is stored in a safe, along with revocation certificates for all of my keys.Encrypted backups of the secret key and the revocation certificates are also stored on several CD-ROMs, inside sealed cases stored in secure places.
Based on the policies of Marcus Frings (http://www.sc-delphin-eschweiler.de/pgp/) and Marc Haber (http://www.zugschlus.de/gpg-signing-policy/)
If you like this policy, and maybe want to reuse it, feel free to Flattr me using the button