Open jonathancross opened 5 years ago
PS: I will be traveling to San Francisco in January and Berlin later in 2019. Would love to have keysigning sessions with anyone interested (my key is hooked into the strong set).
Thanks for the thoughtful report, @jonathancross. You're right that we can do a better job to demonstrate trust in the keys relevant for SecureDrop administrators and developers. On a related note, we plan to generate a new Certify-capable "FPF Authority Key" and cross-sign the SecureDrop Release key, as well as individual staff member keys, in the near future. Expect updates here once that's done, to aid in coordination of key-signing sessions.
Thank you @conorsch, I just sent an email to you and others above to see if we might coordinate a keysigning party in January. :-)
Description
The Release Signing key (
310F 5612 00F4 AD77
) should be coss-signed by members of the PGP Web Of Trust "Strong Set". This will allow users to establish a trust path to the key.Ideally, this key should also be cross-signed by other relevant keys such as the "SecureDrop Team" key (
82BD 6C96 16DA BB79
) and developers, eg:6FB4762D12E4CDFB
B07E80656ACD9501
C0A2586F09D77C82
@heartsucker has signed all keys except
82BD6C9616DABB79
, however none have cross-signed his key back.User Stories
Britney wants to verify a SecureDrop release without trusting keys found on websites. She does not know a developer in person, or she is concerned about identifying herself to devs. Therefore she needs another means to identify the correct signing key.