zebra
zebra copied to clipboard
Create encryption keys amongst [email protected]
And publish the public key in our responsible_disclosure.md statement. Ideally created on yubikeys, with backups. Elucidate the creation, rotation, and EOL'ing keys.
For now we have an old draft at: https://docs.google.com/document/d/1ORGAzAYq5vc86SxBlugYAE5daLbnTRCIZSELCvFKZaY
After discussion/review we should update the ticket text here
Quick consensus on tooling:
- PGP for breadth
- Optionally age for more experimental/modern researchers, but not primary
Putting this in the last sprint, so we remember to do it before mainnet activation.
Do we still want to/need to do this?
We're getting closer to the stable release candidate series, so this is a medium priority now.
Here are some reasons to make our first secure contact method a PGP key:
If we want to get the same disclosures as zcashd: https://github.com/zcash/zcash/blob/master/SECURITY.md#receiving-disclosures
If we want to conform to accepted responsible disclosure standards within the cryptocurrency community: https://github.com/RD-Crypto-Spec/Responsible-Disclosure/tree/d47a5a3dafa5942c8849a93441745fdd186731e6#giving-details
We can add additional secure contact methods, but in my opinion they should be separate tickets. That allows us to give them different schedules and priorities.
Some resources:
- https://developers.yubico.com/PGP/PGP_Walk-Through.html
- PGP keys can be stored in 1Password as attachments or secure notes
- https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
- https://medium.com/cloud-security/storing-a-gpg-pgp-key-on-a-yubikey-905a8fe8dad7
I've started coordinating on this
removing from sprint, I still have it on my to do list to do asap