My GnuPG/OpenPGP key as of 2023-01-02 is:
pub rsa4096 2022-01-01 [C] [expires: 2024-03-27] E340 3297 5F72 E71F 1887 109D E9F4 D999 943E 991C uid [ultimate] Francesco Vezzoli <[email protected]> uid [ultimate] Francesco Vezzoli <[email protected]> uid [ultimate] Francesco Vezzoli <[email protected]> sub rsa4096 2022-01-01 [S] [expires: 2024-03-27] sub rsa4096 2022-01-01 [E] [expires: 2024-03-27] sub rsa4096 2022-01-01 [A] [expires: 2024-03-27]
It is available for download from this site: 0xE9F4D999943E991C.asc. At the moment the key is not loaded on a keyserver.
I’ve followed a guide on the debian wiki to create an airgapped main key, to be stored in a safe place and use a smart card for store a signing, encryption and authenticate key for daily use, with limited expiration time. Here a list of various guide i follow:
- Debian wiki on airgapped master key
- Blog post from Víctor Cuadrado Juan on Air-gapped computer, GPG and smartcards using the Yubikey Neo.
GPG Signing Policy of Francesco Vezzoli
This is the signing policy for key 0xE9F4D999943E991C:
I am willing to sign keys for people I meet in person, in reasonable circustances (not in a hurry, in a calm place, etc.).
The owner of the key should bring an hardcopy of the output of the command:
gpg --fingerprint $KEY_ID, or an equivalent listing of the same informations.
If the key is not available on public servers, the piece of paper should include an alternative address where I can easily retrieve the public key to sign.
I reserve the right not to sign a key; reasons may include, but are not limited to, insufficient identification (I think the face to face meeting mitigate the problem) or problems retrieving the key.
I’m not using signature levels: I think don’t add much value. I fully trust all people I meet.
After signing the UIDs, I will send the signed key to each e-mail address as a light form of address ownership control; I will not upload the key to any keyserver.
If I have signed your key and you create a new one (e.g., because you are migrating to a new format), I am willing to sign the new key without meeting in person, as long as the following conditions are met.
- The old key is not yet expired or revoked when you send me the request (obviously).
- You send me an e-mail signed with the old key and containing the information about the new key needed for a new signature (fingerprint, UID you want to have signed, where to find the key).
I will sign the UIDs I had already signed with the old key, the others only if I am sure they are yours.
I will only sign pseudonym identities on keys if I’ve known the owner of the key under that pseudonym for more than a year.
I won’t generally sign photo UIDs because they are hard to properly verify.
Reciprocity is appreciated, but not required: if we meet so that I can sign your key I expect that you look at my ID and fingerprint; if then you have a reason not to sign it I understand it, but appreciate if, situation permitting, you explain what the issues are, so that I can fix them for the future.