Add key signing policy and key security info
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
fe8781940f
commit
1529cb07aa
GPG key ID:
CBBBE7371E81C4EA
113
content/keys.md
113
content/keys.md
|
|
@ -21,6 +21,98 @@ sub ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2022-11-24]
|
|||
|
||||
You can download it [here](/pgp.asc) or from your preferred keyserver.
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
How I keep my private key safe
|
||||
</summary>
|
||||
|
||||
### Master key
|
||||
|
||||
My private master key is only used for the following purposes:
|
||||
|
||||
* Add or revoke UIDs
|
||||
* Add or revoke subkeys
|
||||
* Change expiry for subkeys or the master key itself
|
||||
* Sign other keys
|
||||
|
||||
My private master key is only ever accessed on an airgapped machine,
|
||||
with no internet or wireless communication capabilities, no camera or
|
||||
microphone and no persistent storage. This airgapped machine is booted
|
||||
with the latest version of [Tails OS](https://tails.boum.org). The
|
||||
master key is protected by a long and secure passphrase and stored on
|
||||
an encrypted storage medium, which itself is stored in a safe place.
|
||||
|
||||
### Subkeys
|
||||
|
||||
My subkeys are stored on an OpenPGP smartcard for daily use. The
|
||||
smartcard makes sure that the local machine never has direct access to
|
||||
the keys. It is protected by a pin-code and requires a physical touch
|
||||
on every cryptographic operation.
|
||||
|
||||
### Revocation and expiry
|
||||
|
||||
I usually set my master key to be valid for 2 years at a time. I will
|
||||
always extend it at least 1 week prior to the expiry date. The same
|
||||
goes for my subkeys, which are set to be valid for 6 months at a time.
|
||||
|
||||
If my keys are ever compromised, I have a revocation certificate,
|
||||
stored in a safe, that I will publish to this website and various
|
||||
keyservers.
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
Key signing policy
|
||||
</summary>
|
||||
|
||||
### Certification levels
|
||||
|
||||
These are the certification levels I use to sign other keys, and the
|
||||
requirements for each level.
|
||||
|
||||
#### Level 0: Generic verification (`sig`/`0x10`)
|
||||
|
||||
This certification level is used if I have somehow verified that you
|
||||
are in control of the email address(es) of the UID(s) to be signed.
|
||||
No assertions are made about your identity.
|
||||
|
||||
#### Level 1: No verification (`sig1`/`0x11`)
|
||||
|
||||
This certification level is used when I have not safely verified you
|
||||
as the keyholder, but I merely _believe_ that you own the key in
|
||||
question.
|
||||
|
||||
#### Level 2: Casual verification (`sig2`/`0x12`)
|
||||
|
||||
This certification level is used when I have verified your identity
|
||||
with at least one form of photo ID (government-issued or equally
|
||||
secure), that your identity matches that of the UID(s) to be signed,
|
||||
and that you are in control of the email address(es) of the UID(s) to
|
||||
be signed.
|
||||
|
||||
#### Level 3: Extensive verification (`sig3`/`0x13`)
|
||||
|
||||
This certification level is used when I am _absolutely sure_ that you
|
||||
are in fact the keyholder. This means that either you are someone I
|
||||
know personally and trust, or that someone I ultimately trust have
|
||||
notified me that you want a signature and have given me your key
|
||||
fingerprint in a secure manner.
|
||||
|
||||
### Signing process
|
||||
|
||||
The signing process consists of 2 steps:
|
||||
|
||||
1) Verification will take place either in person or over video call.
|
||||
If we meet in person, you will give me a physical copy of your key
|
||||
fingerprint. If verification takes place over video call, you will
|
||||
give me your key fingerprint verbally.
|
||||
2) You will have to send me your public key from the email address
|
||||
associated with one of the UIDs to be signed. I will then sign the
|
||||
key and send it back to the same email address in encrypted form.
|
||||
|
||||
</details>
|
||||
|
||||
## SSH key
|
||||
|
||||
If you need to give me shell access to your server or similar, please
|
||||
|
|
@ -30,4 +122,25 @@ use the following public SSH key:
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
|
||||
```
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
PGP signed version
|
||||
</summary>
|
||||
|
||||
```txt
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
|
||||
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iHUEARYKAB0WIQR1jxoXyANf2TkSyeLLu+c3HoHE6gUCYqeuFwAKCRDLu+c3HoHE
|
||||
6tTqAQDhUokTzNxn4h06UKCbggtTG3EpMrbgNT2HUQugpD6t7gEA6IleDY/aubyT
|
||||
Giy/YDkzUoJlVghNq0rU+DcSC1dLzQs=
|
||||
=FjyX
|
||||
-----END PGP SIGNATURE-----
|
||||
```
|
||||
</details>
|
||||
|
||||
You can download it [here](/ssh.pub).
|
||||
Loading…
Reference in a new issue