My GnuPG Keys
I use a new key (37B23872 strong RSA key).
My main public Key
4096R/37B23872
Download my key
Key fingerprint is C98E 690D 6250 4CD1 3C15 233C 63C4 3506 37B2 3872
you can get it at http://pgp.mit.edu or click above
My old GPG public Key, till active
1024/58DA381D
Download my key 2007 graphic map
Key fingerprint is 7A67 682C E754 4652 A62D ACBA 03B3 E1D6 58DA 381D
you can get it at http://pgp.mit.edu or click above
Key Signing Policy of Stephane Papillon
This policy is valid for all signatures made by the following GnuPG keys:0X58DA381D, 0X37B23872
Location
I live in Lyon (France) and I am open to sign keys at any time. The easiest way for verifying keys would be to meet me here in Lyon. Another opportunity to get in personal contact would be to address me at certain computer related fairs (CeBIT, Fosdem, LinuxTag and so on). I am also listed at biglumber.com, a webpage about key signing coordination.
Prerequisites for signing
The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (see above for example keyservers).
The signee must prove his/her identity to me by way of a valid identity card or a valid driving licence. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee’s key must feature his/her real name in order to be checked up on his/her identity card. A key which only contains a pseudonym will not be signed.
For people from outside the European Union I will check both of these two tokens (since I cannot assess their risk of fraud). Exceptions may be made if there is a good reason for me to do so.
The signee should have prepared a strip of paper with a printout of the output
gpg –fingerprint 0×12345678
(or an equivalent command if the signee does not use GnuPG) where 0×12345678 is the key ID of the key which is to be signed.
A handwritten piece of paper featuring the fingerprint and all UIDs the signee wants me to sign will also be accepted.
The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on).
The act of signing
After having received (or exchanged) the proof detailed in the above I will sign the signee’s piece of paper myself to avoid fraud.
At home I will sign the UIDs which I was asked to sign. Each signature will then be mailed separately to the corresponding mail address of the single UIDs.
Levels of signatures
Depending on the character of the key which is to be signed by me I will use different levels of signatures:
Level 3
A level of 3 is given to sign-and-encrypt keys: I have met the signee, I have verified his/her identity card and fingerprint and I was able to send my signatures encrypted with the corresponding key of the signee. These signatures are the strongest in my web of trust. Photographic UIDs are also going to be signed with a level of 3 if I can still remember the signee’s face when I will be back at home.
Level 2
A level of 2 is given to sign-only keys. It is not clear to determine if the owner of the mail account is the same as the key owner because encryption cannot be used, hence the signatures only receive a lower level of 2.
Level 1
A level of 1 will never be used by me for it weakens the web of trust in my opinion. I have never signed keys without appropriate verification and I will never do so in the future.
Level 0
A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.
