This policy is valid from 2005-08-09 for all signatures made by the GnuPG key:
pub 4096R/CF3401A9 2005-02-17
uid Elmar Hoffmann <elho@elho.net>
Key fingerprint = 8736 FE21 A2DF DDC9 8E5A AD73 9579 52D7 CF34 01A9
It may be replaced at any time with a new version. If a new version incorporates changes that might affect the strength or perceived strength of the resulting signature, the old version will be linked from the new one.
This is version 3, written 2005-08-09.
Version 2, written 2005-02-17, used a specific keyserver URL for no reason.
Version 1, written 2004-09-03, was used with a now revoked key.
The key owner who wishes to obtain a signature to his/her key from me (hereafter called the "signee") must prove his/her identity to me by way of a national ID card, a driver's licence, or a similar token. The token must feature a photographic picture of the signee. This also implies that the signee's key must feature his/her real name.
For people from outside the European Union, only a combination of at least two of the above tokens will be accepted. Exceptions will be made when the signee can come up with other means of proof of identity. But at least one of the above tokens will stay the minimum requirement.
The signee should have prepared a printout of the output of
gpg --fingerprint for his/her key (or the equivalent
command of his/her OpenPGP client).
A hand-written sheet featuring the key ID, the fingerprint and all user IDs the signee wishes to obtain a signature to will also be accepted.
If the signee wishes to obtain a signature to a photographic user ID, the printout should contain the image of that photographic user ID. A printout or photocopy of a photo clearly showing the same person as in the photographic user ID will also be accepted.
The above must take place under reasonable circumstances, i.e. at a calm place, both parties not being in a hurry, etc.
The signee should make his/her public key available on a publicly
accessible pgp.net keyserver, such as subkeys.pgp.net.
The signee should be willing to cross-sign with me.
At home I will verify the key's fingerprint using the hardcopy of the fingerprint that has been given to me.
After successful fingerprint verification, I will sign all user IDs which I was asked to sign. Each signature is then individually sent to the email address listed in the corresponding user ID, encrypted to the signee's key.
As only the signee can decrypt and thus publish the signatures, it is warranted that the email addresses listed in each user ID with a published signature belongs to the signee.
Certification level 3 is used for user IDs that passed identity, fingerprint and email verification and photographic user IDs that passed identity and fingerprint verification as described above.
Certification level 2 is used for user IDs that passed identity and fingerprint verification as described above.
Certification level 2 is also used for user IDs of keys belonging organizations such as Certification Authorities that passed fingerprint verification by providing the fingerprint in an official publication in printed form.
Certification level 1 is never used, keys are never signed without appropriate verification.