What is this key stuff?

The old saying goes "On the internet, no-one knows if you're a dog or not", or something like that. Hence, here are a few ways that you can verify webpages or emails or whatever really came from Shane, and not some random dog out there.
There are a ton of PGP, GPG, SSH, SSL, https, and digital certificate tutorials that I'm not going to attempt to reprise them here. My advice is to google them, and keep searching until you find a page that makes sense to you. There are plenty of overly technical and geeky resources, but there are also some plain text ones that make sense to the average reader if you look.

Shane's Keys

I use a number of keys currently:

  • General encryption/signing:
    PGP 2048D/0x30A21D55 created:19991104 expires:not yet
    B29B 58CC 0B09 58F1 24DA  C61A 32EC 1759 30A2 1D55
  • Secure signing:
    PGP 4096D/0xF4807766 created:20061005 expires:not yet
    291F 63F5 5674 C84D 06F4  D9FC F17F D0F0 F480 7766
  • Email signing: Thawte Personal Freemail cert:
    0A:6F:CE:5A:B5:07:E4:5E:CC:51:04:71:97:E7:B6:D8
    53:6D:83:F1:D3:CE:D3:F8:DE:FD:9F:70:4B:AB:A9:62 expired:20070123
  • Email signing: IBM Certification Authority:
    MD5  764E C9F5 4C6B D70B A7D5 E00C 991C 187E
  • Other uses: CACert WOT user cert:
    02:F1:D1
    01:AF:1A expired:20061129
  • Expired personal key:
    PGP 3072D/0xB8B76D1F created:20000215 expired:20051001
  • SSH login key: shanecurcuru-rsa-key-20061222

Keysigning Policies

Default keysigning policies (but please see the version of this document):
  • All keysigning presumes a comfortable situation with an ability to verify information, etc.
  • Photo IDs must be government issued, and match a name on the key.
  • The signee must convey to me securely the fingerprint of their key for verification.
  • I typically only sign keys of people I already know or who are ASF committers.
  • Signatures will be sent encrypted to the primary email address that I sign, not uploaded to keyservers.
  • I will only sign email addresses that I recognize and have seen emails come from in the past.
  • If you don't already have other signatures that I recognize, I may wait to see consistent email traffic.
  • I appreciate cross-signing, but it's not required.
  • I generally cross-sign, but there is no guarantee I will do so.
  • Keys are signed using the Windows PGP GUI as Signature Type "Exportable".

PGP Key 0x30A21D55

General signing key for ASF work and general WOT use. Signatures most often generated at ApacheCon keysigning parties. Verification includes an in person meeting, photo ID, and generally some email presence in the ASF realm.

In a few cases, I have skipped the in person meeting and relied on signed and encrypted Lotus Notes email containing the key within my employer's network, either Lotus or IBM (i.e. effectively relying on the trust of IBM's HR systems to verify photo ID). In these cases, I only sign if the person has been an IBM employee for a number of months, and is an active ASF committer.

PGP Key 0xF4807766

Secure signing key for ASF work. This key will use all verification methods of my 0x30A21D55 key, plus will only be used for people I have met and verified photo ID in person, plus will only be used after I have known the person and seen consistent email from their key's email addresses for at least one year. The purpose will be to strengthen the WOT around ASF releases and a future certification authority.

Thawte WOT Notary

I follow all of Thawte's notary policys strictly. Be sure to bring copies of the forms and your ID. No charge, however I tend to only notarize people I personally know or who are ASF committers.

CACert WOT Notary

I follow all of CACert's notary policys strictly. Be sure to bring copies of the forms and your ID. No charge, however I tend to only notarize people I personally know or who are ASF committers.

Key Use Policies

PGP encryption: I generally do not encrypt email, unless I have a specific reason to believe it's sensitive information. I am happy to accept encrypted email to any currently valid PGP key if you feel the need. I will always send signatures for other keys encrypted to that key.

Email signing:

  • asf on shanecurcuru-org WILL be signed by Thawte
  • shane_curcuru on us-ibm-com WILL be signed by IBM
  • shane_curcuru on yahoo-com is not signed; however if I ever stop using this email account for any reason (I pay for it) I will alert people
  • other email accounts are generally not signed
  • email body will be PGP signed or encrypted only when specifically needed

Storage

I take security seriously. All keys use strong passphrases with multiple character types. Currently, I am the only person with access to any of these passphrases. Most private keys are kept passphrase protected on my laptop, which uses a strong hard disk password.

My Secure Signing PGP Key 0xF4807766 is treated specially. It was generated on a system offline, and is normally stored in offline media locked in a secure safe. Signatures are only generated offline, then USB key'd to a connected machine to be sent to their owners. Thawte and CACert notary papers are likewise kept in a secure safe.

Verification

For all the "pgp key signing policy" pages out there, with tiny details of exactly how keysignings will be done, none of them yet seemed to be signed themselves. So how does the paranoid geek figure out if the policy document itself is valid? <smile/>

Once this policy is complete, this document will be PGP signed itself. I hope to figure out how to do XML-Signature correctly too, just to prove my xml cred is still there.

Version

v?.?/200?????
(The next version doesn't exist yet)
v0.4/20070707
Changed to (c) Copyright; updated Contents (no substantive changes)
v0.3/20070206
beta, updated thawte and CACert expired keys but not complete yet
v0.2/20070110
beta, correct document but not complete yet
v0.1/20070109
alpha, incomplete document





Copyright © 2007 Shane Curcuru - All Rights Reserved