Add key signing policy and key security info
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
fe8781940f
commit
1529cb07aa
GPG key ID:
CBBBE7371E81C4EA
113
content/keys.md
113
content/keys.md
|
|
@ -21,6 +21,98 @@ sub ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2022-11-24]
|
||||||
|
|
||||||
You can download it [here](/pgp.asc) or from your preferred keyserver.
|
You can download it [here](/pgp.asc) or from your preferred keyserver.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
How I keep my private key safe
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
### Master key
|
||||||
|
|
||||||
|
My private master key is only used for the following purposes:
|
||||||
|
|
||||||
|
* Add or revoke UIDs
|
||||||
|
* Add or revoke subkeys
|
||||||
|
* Change expiry for subkeys or the master key itself
|
||||||
|
* Sign other keys
|
||||||
|
|
||||||
|
My private master key is only ever accessed on an airgapped machine,
|
||||||
|
with no internet or wireless communication capabilities, no camera or
|
||||||
|
microphone and no persistent storage. This airgapped machine is booted
|
||||||
|
with the latest version of [Tails OS](https://tails.boum.org). The
|
||||||
|
master key is protected by a long and secure passphrase and stored on
|
||||||
|
an encrypted storage medium, which itself is stored in a safe place.
|
||||||
|
|
||||||
|
### Subkeys
|
||||||
|
|
||||||
|
My subkeys are stored on an OpenPGP smartcard for daily use. The
|
||||||
|
smartcard makes sure that the local machine never has direct access to
|
||||||
|
the keys. It is protected by a pin-code and requires a physical touch
|
||||||
|
on every cryptographic operation.
|
||||||
|
|
||||||
|
### Revocation and expiry
|
||||||
|
|
||||||
|
I usually set my master key to be valid for 2 years at a time. I will
|
||||||
|
always extend it at least 1 week prior to the expiry date. The same
|
||||||
|
goes for my subkeys, which are set to be valid for 6 months at a time.
|
||||||
|
|
||||||
|
If my keys are ever compromised, I have a revocation certificate,
|
||||||
|
stored in a safe, that I will publish to this website and various
|
||||||
|
keyservers.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
Key signing policy
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
### Certification levels
|
||||||
|
|
||||||
|
These are the certification levels I use to sign other keys, and the
|
||||||
|
requirements for each level.
|
||||||
|
|
||||||
|
#### Level 0: Generic verification (`sig`/`0x10`)
|
||||||
|
|
||||||
|
This certification level is used if I have somehow verified that you
|
||||||
|
are in control of the email address(es) of the UID(s) to be signed.
|
||||||
|
No assertions are made about your identity.
|
||||||
|
|
||||||
|
#### Level 1: No verification (`sig1`/`0x11`)
|
||||||
|
|
||||||
|
This certification level is used when I have not safely verified you
|
||||||
|
as the keyholder, but I merely _believe_ that you own the key in
|
||||||
|
question.
|
||||||
|
|
||||||
|
#### Level 2: Casual verification (`sig2`/`0x12`)
|
||||||
|
|
||||||
|
This certification level is used when I have verified your identity
|
||||||
|
with at least one form of photo ID (government-issued or equally
|
||||||
|
secure), that your identity matches that of the UID(s) to be signed,
|
||||||
|
and that you are in control of the email address(es) of the UID(s) to
|
||||||
|
be signed.
|
||||||
|
|
||||||
|
#### Level 3: Extensive verification (`sig3`/`0x13`)
|
||||||
|
|
||||||
|
This certification level is used when I am _absolutely sure_ that you
|
||||||
|
are in fact the keyholder. This means that either you are someone I
|
||||||
|
know personally and trust, or that someone I ultimately trust have
|
||||||
|
notified me that you want a signature and have given me your key
|
||||||
|
fingerprint in a secure manner.
|
||||||
|
|
||||||
|
### Signing process
|
||||||
|
|
||||||
|
The signing process consists of 2 steps:
|
||||||
|
|
||||||
|
1) Verification will take place either in person or over video call.
|
||||||
|
If we meet in person, you will give me a physical copy of your key
|
||||||
|
fingerprint. If verification takes place over video call, you will
|
||||||
|
give me your key fingerprint verbally.
|
||||||
|
2) You will have to send me your public key from the email address
|
||||||
|
associated with one of the UIDs to be signed. I will then sign the
|
||||||
|
key and send it back to the same email address in encrypted form.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
## SSH key
|
## SSH key
|
||||||
|
|
||||||
If you need to give me shell access to your server or similar, please
|
If you need to give me shell access to your server or similar, please
|
||||||
|
|
@ -30,4 +122,25 @@ use the following public SSH key:
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
|
||||||
```
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
PGP signed version
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
```txt
|
||||||
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||||||
|
Hash: SHA512
|
||||||
|
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
|
||||||
|
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iHUEARYKAB0WIQR1jxoXyANf2TkSyeLLu+c3HoHE6gUCYqeuFwAKCRDLu+c3HoHE
|
||||||
|
6tTqAQDhUokTzNxn4h06UKCbggtTG3EpMrbgNT2HUQugpD6t7gEA6IleDY/aubyT
|
||||||
|
Giy/YDkzUoJlVghNq0rU+DcSC1dLzQs=
|
||||||
|
=FjyX
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
You can download it [here](/ssh.pub).
|
You can download it [here](/ssh.pub).
|
||||||
Loading…
Reference in a new issue