-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

PGP Key Management Policy for Ethan Blanton <elb@kb8ojh.net>

Last Updated: 2014-03-16

ACTIVE KEYS

I have two active, current PGP keys.  They are:

pub   2048R/771FC72B 2009-05-09
      Key fingerprint = CB44 99AC EDDA D1AB D6E6  A2CA FF1F 8B16 771F C72B
uid                  Ethan Blanton <elb@psg.com>
uid                  Ethan Blanton (Pidgin Developer) <elb@pidgin.im>
uid                  Ethan Blanton (Ohio University CS) <eblanton@cs.ohiou.edu>
uid                  Ethan Blanton (KB8OJH) <elb@kb8ojh.net>
sub   2048R/1678C5B2 2009-05-09

pub   4096R/A1A8AD0E 2014-03-15
      Key fingerprint = 2A9A 7752 8B91 6586 6289  FD3D 6CA9 2AC6 A1A8 AD0E
uid                  Ethan Blanton (KB8OJH) <elb@kb8ojh.net>
uid                  Ethan Blanton (Pidgin Developer) <elb@pidgin.im>
sub   2048R/3622A63A 2014-03-15
sub   2048R/6C822274 2014-03-15

The second key, A1A8 AD0E should be used for all current and future
communications until this document is updated or superseded.  771F C72B
is still valid, secure, and under my control; however, I have managed it
using a different policy than this one in the past, so its usage may be
somewhat different from my current key, A1A8 AD0E.  Signatures created
by 771F C72B after the date of this document should not necessarily be
considered invalid, and can be assumed to use this policy unless
otherwise indicated.

The primary key for A1A8 AD0E is stored only on a separate keyring,
under passphrase and on an encrypted volume, which is not normally
available for use.  The subkeys attached to it are normally available
for my use.  It is stored only on a machine that is under my direct
physical control (that is, never on a laptop or other portable device,
and never on a hosted machine or at a third-party location).  It is
accessed only via trusted devices and authenticated connections (e.g.,
ssh from a trusted machine or the physical console).

INACTIVE KEYS

I have one inactive key which is not known to be compromised and should
be respected for all signatures produced before 2014-03-15:

pub   1024D/883C1C14 2000-12-03 [revoked: 2014-03-15]
      Key fingerprint = A290 14A8 C682 5C88 AE51  4787 AFD9 00F4 883C 1C14
uid                  Ethan Blanton (psg.com) <elb@psg.com>
uid                  Ethan Blanton (Purdue Computer Science) <eblanton@cs.purdue.edu>
uid                  Ethan Blanton (OU Computer Science) <eblanton@cs.ohiou.edu>
uid                  Ethan Blanton (Pidgin Developer) <elb@pidgin.im>

This key has been retired due to its inadequate primary key size and
characteristic.  It is a relatively well-connected key, however, and I
continue to trust key signatures made by it in the past.  Its key
signing policy may be different from the policy in this document; unless
you have reason to believe otherwise, you should assume that signatures
made by this key are equivalent to Verification Level 1, below.

I have one older key, AD4C AFDD, which has been inactive for well over
10 years.  It is not known to be compromised, but signatures from it
should NOT be trusted, as I no longer have the passphrase for its
private key material.  It should not be used for any purpose.

SIGNING POLICY

I make use of verification levels when signing keys.  Signatures without
verification levels (or verification level 0) are not necessarily
invalid, as I may have declined to include a verification level for some
non-technical reason.  Therefore, unless you have reason to believe
otherwise, signatures without a verification level should be assumed to
be no more closely verified than level 1.

Verification Level 1 ("I have not checked at all"):

    This indicates that I have moderately sound personal reasons to
    trust a key under the control of an individual, but that I have
    either not verified the individual's identity closely, the owner is
    pseudonymous, or I have reason to believe that the key is not
    managed tightly (e.g., it is used for automated signatures or
    available on a public machine).  Alternately, it may mean that I
    have sound reasons to trust the key, but it is managed by a group,
    with multiple users having access to the private key material.

Verification Level 2 ("I have done casual checking"):

    A signature with verification level 2 means that I have verified the
    identity of the key owner via either government-issued photo ID
    (preferably, but not necessarily, two forms) or equivalent, or that
    the identity of the key owner has been personally confirmed by a
    trusted third party.  (This does not include cross-signatures on
    keys; it does include personal introductions.)

Verification Level 3 ("I have done very careful checking"):

    This verification level is reserved for individuals known personally
    to me for an extended period of time.  This includes friends,
    colleagues, and members of projects with which I have been active
    for some time.  Identity verification for this level is at least as
    strong as Verification Level 2, with the added component that I have
    personal experience and belief that the individual is who they claim
    to be.

I do not currently make regular use of public trust levels on signed
keys (that is, GPG 'tsign').  Such signatures be assumed valid, but the
policy attached to them is not well-defined.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEVAwUBUyXUom5RvCU2IqY6AQhteQf+MCQUf1vbTWm0MkG+irCra3bUOuFWgHl5
NIDV/Igvrd+zKFY3PZVEAosAW58mn8CBfmAl2T259g6VXUimzRUHJxjigdJeAkUJ
omEAT39dpB61buiX8TbxYAVmCQSF+mo4RpfIFM0ncmQ7agJ05c+AcMl6/G/Tuq+6
ZDKAM/I4DmMlRDPmxBrlVKmDNnI8a7FoEjegJHdzFF5+D6+sHSqwDr4ZDiWijC5/
aTPSrxC/HVeK5ly0ElFEDRnLSI0ixXJdKRVZGQfzjHcNLYovnIHlBDuOUgIYuA7b
BunHFrMSBJZErW4ioZYLBkaW7Kjwo2voPflyKXrtMRwaon6ZtjYgjQ==
=sG6E
-----END PGP SIGNATURE-----