From 1529cb07aa3aa30b85582c1121513b951f1303a2 Mon Sep 17 00:00:00 2001 From: samsapti Date: Tue, 14 Jun 2022 01:46:43 +0200 Subject: [PATCH] Add key signing policy and key security info --- content/keys.md | 113 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) diff --git a/content/keys.md b/content/keys.md index a271069..a994b81 100644 --- a/content/keys.md +++ b/content/keys.md @@ -21,6 +21,98 @@ sub ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2022-11-24] You can download it [here](/pgp.asc) or from your preferred keyserver. +
+ + How I keep my private key safe + + + ### Master key + + My private master key is only used for the following purposes: + + * Add or revoke UIDs + * Add or revoke subkeys + * Change expiry for subkeys or the master key itself + * Sign other keys + + My private master key is only ever accessed on an airgapped machine, + with no internet or wireless communication capabilities, no camera or + microphone and no persistent storage. This airgapped machine is booted + with the latest version of [Tails OS](https://tails.boum.org). The + master key is protected by a long and secure passphrase and stored on + an encrypted storage medium, which itself is stored in a safe place. + + ### Subkeys + + My subkeys are stored on an OpenPGP smartcard for daily use. The + smartcard makes sure that the local machine never has direct access to + the keys. It is protected by a pin-code and requires a physical touch + on every cryptographic operation. + + ### Revocation and expiry + + I usually set my master key to be valid for 2 years at a time. I will + always extend it at least 1 week prior to the expiry date. The same + goes for my subkeys, which are set to be valid for 6 months at a time. + + If my keys are ever compromised, I have a revocation certificate, + stored in a safe, that I will publish to this website and various + keyservers. + +
+ +
+ + Key signing policy + + + ### Certification levels + + These are the certification levels I use to sign other keys, and the + requirements for each level. + + #### Level 0: Generic verification (`sig`/`0x10`) + + This certification level is used if I have somehow verified that you + are in control of the email address(es) of the UID(s) to be signed. + No assertions are made about your identity. + + #### Level 1: No verification (`sig1`/`0x11`) + + This certification level is used when I have not safely verified you + as the keyholder, but I merely _believe_ that you own the key in + question. + + #### Level 2: Casual verification (`sig2`/`0x12`) + + This certification level is used when I have verified your identity + with at least one form of photo ID (government-issued or equally + secure), that your identity matches that of the UID(s) to be signed, + and that you are in control of the email address(es) of the UID(s) to + be signed. + + #### Level 3: Extensive verification (`sig3`/`0x13`) + + This certification level is used when I am _absolutely sure_ that you + are in fact the keyholder. This means that either you are someone I + know personally and trust, or that someone I ultimately trust have + notified me that you want a signature and have given me your key + fingerprint in a secure manner. + + ### Signing process + + The signing process consists of 2 steps: + + 1) Verification will take place either in person or over video call. + If we meet in person, you will give me a physical copy of your key + fingerprint. If verification takes place over video call, you will + give me your key fingerprint verbally. + 2) You will have to send me your public key from the email address + associated with one of the UIDs to be signed. I will then sign the + key and send it back to the same email address in encrypted form. + +
+ ## SSH key If you need to give me shell access to your server or similar, please @@ -30,4 +122,25 @@ use the following public SSH key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh ``` +
+ + PGP signed version + + + ```txt + -----BEGIN PGP SIGNED MESSAGE----- + Hash: SHA512 + + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh + + -----BEGIN PGP SIGNATURE----- + + iHUEARYKAB0WIQR1jxoXyANf2TkSyeLLu+c3HoHE6gUCYqeuFwAKCRDLu+c3HoHE + 6tTqAQDhUokTzNxn4h06UKCbggtTG3EpMrbgNT2HUQugpD6t7gEA6IleDY/aubyT + Giy/YDkzUoJlVghNq0rU+DcSC1dLzQs= + =FjyX + -----END PGP SIGNATURE----- + ``` +
+ You can download it [here](/ssh.pub). \ No newline at end of file