-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 PGP Key Management Policy for Ethan Blanton Last Updated: 2024-06-03 ACTIVE KEYS I have two active, current PGP keys. They are: pub 2048R/771FC72B 2009-05-09 Key fingerprint = CB44 99AC EDDA D1AB D6E6 A2CA FF1F 8B16 771F C72B uid Ethan Blanton uid Ethan Blanton (Pidgin Developer) uid Ethan Blanton (Ohio University CS) uid Ethan Blanton (KB8OJH) sub 2048R/1678C5B2 2009-05-09 pub rsa3072/6373E92680FFE728 2024-07-03 [SC] [expires: 2026-07-03] 5FF2A49218D19EF4750470466373E92680FFE728 uid [ultimate] Ethan Blanton uid [ultimate] Ethan Blanton sub rsa3072/BE20E812A5B70D93 2024-07-03 [E] [expires: 2026-07-03] sub rsa3072/C317569A6696C484 2024-07-03 [S] [expires: 2026-07-03] The second key, 80FF E728, should be used for all current and future communications until this document is updated or superseded. 771F C72B is still valid, secure, and under my control; however, I have managed it using a different policy than this one in the past, so its usage may be somewhat different from my current key, 80FF E728. Signatures created by 771F C72B after the date of this document should not necessarily be considered invalid, and can be assumed to use this policy unless otherwise indicated. The primary key for 80FF E728 is stored only on a separate keyring, under passphrase and on an encrypted volume, which is not normally available for use. The subkeys attached to it are normally available for my use. It is stored only on a machine that is under my direct physical control (that is, never on a laptop or other portable device, and never on a hosted machine or at a third-party location). It is accessed only via trusted devices and authenticated connections (e.g., ssh from a trusted machine or the physical console). INACTIVE KEYS I have one inactive key which is not known to be compromised and should be respected for all signatures produced before Fall of 2019: pub 4096R/A1A8AD0E 2014-03-15 Key fingerprint = 2A9A 7752 8B91 6586 6289 FD3D 6CA9 2AC6 A1A8 AD0E uid Ethan Blanton (KB8OJH) uid Ethan Blanton (Pidgin Developer) sub 2048R/3622A63A 2014-03-15 sub 2048R/6C822274 2014-03-15 This key has been retired as I cannot reproduce the passphrase. I still remember what I believe is the correct passphrase, but the passphrase that I remember will not decrypt this key material or one other key that uses the same passphrase. The passphrase in question was one that I used on a weekly basis, but I typed it wrong two or three times in a row and thereafter could never reproduce it correctly. Let this be a lesson to all who read it! A1A8 AD0E was managed under this policy, and any signatures from it should be assumed to follow this policy. I have one inactive key which is not known to be compromised and should be respected for all signatures produced before 2014-03-15: pub 1024D/883C1C14 2000-12-03 [revoked: 2014-03-15] Key fingerprint = A290 14A8 C682 5C88 AE51 4787 AFD9 00F4 883C 1C14 uid Ethan Blanton (psg.com) uid Ethan Blanton (Purdue Computer Science) uid Ethan Blanton (OU Computer Science) uid Ethan Blanton (Pidgin Developer) This key has been retired due to its inadequate primary key size and characteristic. It is a relatively well-connected key, however, and I continue to trust key signatures made by it in the past. Its key signing policy may be different from the policy in this document; unless you have reason to believe otherwise, you should assume that signatures made by this key are equivalent to Verification Level 1, below. I have one older key, AD4C AFDD, which has been inactive for well over 20 years. It is not known to be compromised, but signatures from it should NOT be trusted, as I no longer have the passphrase for its private key material. It should not be used for any purpose. SIGNING POLICY I make use of verification levels when signing keys. Signatures without verification levels (or verification level 0) are not necessarily invalid, as I may have declined to include a verification level for some non-technical reason. Therefore, unless you have reason to believe otherwise, signatures without a verification level should be assumed to be no more closely verified than level 1. Verification Level 1 ("I have not checked at all"): This indicates that I have moderately sound personal reasons to trust a key under the control of an individual, but that I have either not verified the individual's identity closely, the owner is pseudonymous, or I have reason to believe that the key is not managed tightly (e.g., it is used for automated signatures or available on a public machine). Alternately, it may mean that I have sound reasons to trust the key, but it is managed by a group, with multiple users having access to the private key material. Verification Level 2 ("I have done casual checking"): A signature with verification level 2 means that I have verified the identity of the key owner via either government-issued photo ID (preferably, but not necessarily, two forms) or equivalent, or that the identity of the key owner has been personally confirmed by a trusted third party. (This does not include cross-signatures on keys; it does include personal introductions.) Verification Level 3 ("I have done very careful checking"): This verification level is reserved for individuals known personally to me for an extended period of time. This includes friends, colleagues, and members of projects with which I have been active for some time. Identity verification for this level is at least as strong as Verification Level 2, with the added component that I have personal experience and belief that the individual is who they claim to be. I do not currently make regular use of public trust levels on signed keys (that is, GPG 'tsign'). Such signatures be assumed valid, but the policy attached to them is not well-defined. -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEE45F3uZYTmjmAMacMwxdWmmaWxIQFAmaFY+oACgkQwxdWmmaW xISwlgwA2SZtGSZmX5jLbMsqRQYs2KaU8t/MoCviYhwsHWADJo7nrE9pQeeLw570 VEuDJHm8xII/ulVtPDJHIMjH1LQHEzq9p8El32Oz8AOqegxNYW5vDIcZHXofnlx1 kawsXSXHe0I2bxHnp6rp5JFoRiFbDPlnAiIvnscJNMFHq4cU2Ch6bLT/tzHCe8NL VR0xNAbVOABemgaUfsNvs1LnJEbjz+DUYk71BKDK7Kgqr2WSvODC4l4KOy+5bWqX oLenFRzB8KjnjZm+KRGU1crL0Q/gUrhBbi7/eAex7voORNP5aoADTXdAs6fHcI43 C2FFbCMPggtTTPca0KBR/h5SKSiVgw4dFVvcIEw+CYq9i9GY5KEOuXM+Q25BD38Y 4zTF5Cs+uvlD++4u5ucFhIyapagYPZ12nbRewyqLxC+QLHZpQJZI8wOyHcdy7sVY oSSeV/v+TkQN66HP85AhVgVN7p41nLwcbsWtxR9yVTQoKMsHQyfMIDEwiHi3nbNq fF1QuPIA =SxPn -----END PGP SIGNATURE-----