update PGP key

[chadwhitacre]

Mine expired a couple days ago:

http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6EE18A8DC47977C2

[blrhc]

This is pretty easy to do isn't it?

[chadwhitacre]

Should be. It's probably a good time to move from chad@zetaweb.com to security@gratipay.com, too, though. No?

[chadwhitacre]

/me reviews https://www.gnupg.org/gph/en/manual/c14.html

[chadwhitacre]

@benhc123 Want to work on this one with me? Let's set up security@gratipay.com and make a key for that that both you and I have access to. Waddya say? :)

[chadwhitacre]

I've created the security user in Google Apps, but I'm having trouble delegating access to it to my main Gmail account, which is how I have the others set up.

[chadwhitacre]

Once security is configured at Google the next step is to configure it at Freshdesk. That's where I'll give you access, @benhc123.

[chadwhitacre]

I just tried delegation again and it went through. Maybe it took time for the new account to propagate within Google? :fried_shrimp:

[chadwhitacre]

Okay, I've configured security@gratipay.com in Freshdesk. I've also made a security team on GitHub and a security group at Freshdesk with @benhc123 @greggles @Changaco and myself.

[chadwhitacre]

@benhc123 Can I put you in charge of making a PGP key for security@gratipay.com?

[chadwhitacre]

I'm looking at this. I'm writing up an IG doc as I go.

[chadwhitacre]

Is maintaining PGP worth it? Rarely have security researchers used PGP during disclosure to us.

[chadwhitacre]

GitHub discourages encrypted email for security disclosures:

Where is your PGP key? I want to use it when I submit a vulnerability.

If you absolutely believe encrypting the message is necessary, please read our instructions and caveats for PGP submissions.

[greggles]

Does gratipay use a web-based form for submitting issues? If so I think that github page applies. Otherwise, the first paragraph and basis of their philosophy disappears ;)

[greggles]

That said...I also think that encrypted submissions are kinda silly.

• email encryption is a great idea for very high risk situations - the worst-case-scenario bug on gratipay is not yet as horrible as a worst-case-scenario bug on php.net or bankofamerica.com
• it's also worthwhile to encrypt data that shouldn't be leaked eventually - since inboxes have a way of eventually getting cracked - but the nature of security issues means that they should be kept secret only for a short time.
• encrypted emails do require key management (a pain in itself)
• they make it harder to deal quickly with incoming submissions (find someone with the key)

[chadwhitacre]

But that's because they have a secure form on a website:

https://bounty.github.com/submit-a-vulnerability.html

As does Facebook: https://www.facebook.com/whitehat/report/.

[chadwhitacre]

Does gratipay use a web-based form for submitting issues? If so I think that github page applies. Otherwise, the first paragraph and basis of their philosophy disappears ;)

Right. ;-)