GPG

My GnuPG/OpenPGP key as of 2023-01-02 is:

pub   rsa4096 2022-01-01 [C] [expires: 2024-03-27]
      E340 3297 5F72 E71F 1887  109D E9F4 D999 943E 991C
uid           [ultimate] Francesco Vezzoli <[email protected]>
uid           [ultimate] Francesco Vezzoli <[email protected]>
uid           [ultimate] Francesco Vezzoli <[email protected]>
sub   rsa4096 2022-01-01 [S] [expires: 2024-03-27]
sub   rsa4096 2022-01-01 [E] [expires: 2024-03-27]
sub   rsa4096 2022-01-01 [A] [expires: 2024-03-27]

It is available for download from this site: 0xE9F4D999943E991C.asc. At the moment the key is not loaded on a keyserver.

I’ve followed a guide on the debian wiki to create an airgapped main key, to be stored in a safe place and use a smart card for store a signing, encryption and authenticate key for daily use, with limited expiration time. Here a list of various guide i follow:

• Debian wiki on airgapped master key
• Blog post from Víctor Cuadrado Juan on Air-gapped computer, GPG and smartcards using the Yubikey Neo.

Signing Policy

My signing policy is available on this site (with it’s signature). Previous versions and changelog:

• 2022-10-11 (2012-02-07 signature): The first version

GPG Signing Policy of Francesco Vezzoli

This is the signing policy for key 0xE9F4D999943E991C:

Meeting

I am willing to sign keys for people I meet in person, in reasonable circustances (not in a hurry, in a calm place, etc.).

The owner of the key should bring an hardcopy of the output of the command: gpg --fingerprint $KEY_ID, or an equivalent listing of the same informations.

If the key is not available on public servers, the piece of paper should include an alternative address where I can easily retrieve the public key to sign.

I reserve the right not to sign a key; reasons may include, but are not limited to, insufficient identification (I think the face to face meeting mitigate the problem) or problems retrieving the key.

Signature Levels

I’m not using signature levels: I think don’t add much value. I fully trust all people I meet.

Key trasport

After signing the UIDs, I will send the signed key to each e-mail address as a light form of address ownership control; I will not upload the key to any keyserver.

Subsequent keys

If I have signed your key and you create a new one (e.g., because you are migrating to a new format), I am willing to sign the new key without meeting in person, as long as the following conditions are met.

1. The old key is not yet expired or revoked when you send me the request (obviously).
2. You send me an e-mail signed with the old key and containing the information about the new key needed for a new signature (fingerprint, UID you want to have signed, where to find the key).

I will sign the UIDs I had already signed with the old key, the others only if I am sure they are yours.

Pseudonym keys

I will only sign pseudonym identities on keys if I’ve known the owner of the key under that pseudonym for more than a year.

Photo uid

I won’t generally sign photo UIDs because they are hard to properly verify.

Reciprocity

Reciprocity is appreciated, but not required: if we meet so that I can sign your key I expect that you look at my ID and fingerprint; if then you have a reason not to sign it I understand it, but appreciate if, situation permitting, you explain what the issues are, so that I can fix them for the future.