oliver_kaluzny_0x84709B559B7EAE58

GnuPG Key Policy – Schlüsselrichtlinie

(Hans-Dieter) Oliver Kaluzny
ok.gpg[ät]qyyp.de
18th Apr 2021 – V1.1
GnuGP Key Policy
In General The latest version and its signature can be found here:

https://qyyp.de/gnupg/oliver_kaluzny_0x84709B559B7EAE58/

All updates about my keys can be tracked here:

https://www.qyyp.de/gnupg/

Currently Valid Keys
For all gpg encrypted communication
the following Key with its Subkeys is used.

pub brainpoolP512r1/0x84709B559B7EAE58 2021-04-17 [SC] [expires: 2026-04-16]
Schl.-Fingerabdruck = 26E0 795E 58DC 6C56 7AD4 A481 8470 9B55 9B7E AE58
uid [ ultimativ ] Oliver Kaluzny [ok.gpg(ät)qyyp.de]
uid [ ultimativ ] Oliver Kaluzny
sub brainpoolP256r1/0x1899B9D1A3F9F2B5 2021-04-17 [E] [expires: 2023-04-17]
sub brainpoolP256r1/0x9F21C834CDA4797C 2021-04-17 [S] [expires: 2023-04-17]
Please kindly refrain using any other keys – especially not those generated
before 17th Apr 2021 – since Communication using any other keys than the
above cannot be handeled.

Invalid, Expired or Revoked Keys

Please do not use the following keys for communication anymore, which was formerly published on this Webspace:

brainpoolP512r1/0xC14303C5C50C609E 2019-03-28 [SC] [expired: 2021-03-27]
Fingerprint = A7EF 265C 1ABA AABE 8927 A95B C143 03C5 C50C 609E
brainpoolP256r1/0x0361D308E4F02CDA 2019-03-28 [S] [expired: 2020-03-27]
brainpoolP256r1/0x933DA7128E768025 2019-03-28 [E] [expired: 2020-03-27]

These Keys are not valid anymore.

Offline-Computer
Offline Computer in this Key policy means:
The OS- and Data-Partitions of the Offline-Computer are encrypted.
The Computer is kept offline all time after set up and is used for GPG and
other Certificates only.

Secret-Offline-Master-Key
The Secret-Offline-Master-Key was generated and is stored on a Offline-Computer only.
it won’t be moved to any unencrypted and network connected devices.
The Capabilities of the Offline-Master-Key is ‘sign’ and ‘certify’ only,
never ‘encrypt’ or ‘authenicate’.
The ‘sign’ capability will be only used to sign a transition statement
in case the Offline-Master-Key or one of its Sub-Keys will be revoked
(see below at’Transition’).
The ‘certify’ capability is only used to create new sub-keys, UIDs or to
certify UIDs contained in others public keys.

Secret-Sub-Keys
The Secret-Sub-Keys are generated and stored as a copy in the same way as the
Offline-Master-Key. The Secret-Sub-Keys will be used only on a encrypted
offline computer or via a smartcard. For each capability a own Subkey is
created (‘sign’, ‘encrypt’).

Self-Signature
The Signature of the Key contains the Webadress of this Webspace

Expiration
The Master-Key expires after 5 (five) and its Sub-Keys expire after 2 (two) years.
A new self signature with a new expiration date which is 1-3 (one to three) years in the
future will be created. The old self signature will be deleted and only the
new self signature will remain stored.
The updated Secret-Sub-Keys will be copied from the Offline-Computer
to a smartcard. The corresponding updated Public-Keys will be published on this Webspace. Sorry no public Keyservers will be used.

UIDs
For the email address which is currently active a UID is created by the
master key on the corresponding secure device (see at ‘Master Key’ below).
As soon as an email associated with a UID becomes inactive it will be
revoked by the master key.

Public Keys
For transferring public keys from the secure device only a clean
USB stick is used.
The public keys can be found only on this Webspace.

Transission
In case the master key needs to be replaced, a transition statement will show, which
old key will be revoked and which new one will be used instead.
That transition statement will be signed with the old master key
and uploaded to:
https://www.qyyp.de/gnupg/transition

Revocation
When a sub key is considered insecure it will be revoked via revocation certificate.
Then a new sub key is generated as a replacement.
In case a master key is considered insecure all contained sub keys and the
master key itself will be revoked.
Afterwards the revocation certificates and the new public key are exported
to the USB stick, transfered to the internet-connected device and pushed to
the keyservers (see chapter ‘Public Key’).
Revocation certificates will be stored at:
https://www.qyyp.de/gpg/revocations/.rev
Then the smartcard will be updated with the new keys.
Revoked keys (especially sub keys with the ‘encrypt’ capability) are never
deleted so that content which was encrypted before revocation can still be
decrypted afterwards.

Key Signing
Certificates are at most valid for three years. In case the key to be
signed expires earlier the certificate expires at the same expiration date.
Please kindly accept and be aware that I only certify with level 3
and not less than level 3.
For level 3 certifications, there must be a meeting in person, where the
– keys main UID and fingerprint has to be provided on paper
– main UID has been validated with a passport, identity card or drivers license
After the meeting a signed email has to be send from every UID to be signed to
my primary UID. That is to have a small proof that the candidate owns those
email address(es).
In case a it gets certified with level 3.
Candidates will get a signed and encrypted email in reply. That has their
public key attached updated with my signature(s).

Key Server
Due to the risk of Spam and due to the fact that Fake-Keys and old Keys cannot be deleted, Keyservers are not used.

Key 0x84709B559B7EAE58 :