Release Signing key should be cross-signed

[jonathancross]

Description

The Release Signing key (310F 5612 00F4 AD77) should be coss-signed by members of the PGP Web Of Trust "Strong Set". This will allow users to establish a trust path to the key.

Ideally, this key should also be cross-signed by other relevant keys such as the "SecureDrop Team" key (82BD 6C96 16DA BB79) and developers, eg:

• @conorsch 6FB4762D12E4CDFB
• @redshiftzero B07E80656ACD9501
• @heartsucker C0A2586F09D77C82

@heartsucker has signed all keys except 82BD6C9616DABB79, however none have cross-signed his key back.

User Stories

Britney wants to verify a SecureDrop release without trusting keys found on websites. She does not know a developer in person, or she is concerned about identifying herself to devs. Therefore she needs another means to identify the correct signing key.

[jonathancross]

PS: I will be traveling to San Francisco in January and Berlin later in 2019. Would love to have keysigning sessions with anyone interested (my key is hooked into the strong set).

[conorsch]

Thanks for the thoughtful report, @jonathancross. You're right that we can do a better job to demonstrate trust in the keys relevant for SecureDrop administrators and developers. On a related note, we plan to generate a new Certify-capable "FPF Authority Key" and cross-sign the SecureDrop Release key, as well as individual staff member keys, in the near future. Expect updates here once that's done, to aid in coordination of key-signing sessions.

[jonathancross]

Thank you @conorsch, I just sent an email to you and others above to see if we might coordinate a keysigning party in January. :-)