OpenPGP Key and Signing Policy

What Is / Why Use OpenPGP?

OpenPGP (RFC 4880) software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures.

In simple terms, someone using OpenPGP can send signed and/or encrypted messages or files securely and verify/authenticate them. An email sent from me will fail authentication if a single character were added or deleted from the body, while in transit. Encrypted data will take, in theory, eons to brute-force crack with today’s most powerful supercomputers.

Today’s massive, NSA-led, collection of all data transmitted by wire in the United States (all in the name of “security”) environment raised the dialogue concerning encryption and data-privacy to a fairly public level. One one side, you have the Government, claiming it needs quick access to massive amounts of data in order to find/deter “terrorist threats” while the other side feels that our 4th Amendment rights against search-and-seizure without a warrant are ignored in favor of “national security.”

In the middle you have, bluntly, the rest of us. Those who feel “I’m not doing anything wrong, why should I worry about encrypting my email?” are missing the point, entirely. Think of sending an encrypted message as the equivalent of sending a Certified Letter, sealed in an envelope, as opposed to sending a post-card with a stamp on it that anyone can read, while in transit.

You may not be engaging in terroristic, seditious, treasonous, or other criminal activity, but…

  • Would you ever send a post-card with your Social Security Number on it?
  • Would you ever send a post-card to your phone company with payment information and credit-card numbers on it?
  • Would you ever send a post-card with a “steamy” love-letter to your partner?
  • How about sending him/her a “romantic photo” of yourself by addressing the back, sticking a stamp on it, and dropping it in the mailbox?
  • How about writing a novel, splitting it up onto different post cards, and mailing them to your publisher from multiple mailboxes? (I’m being absurd but this is pretty much how email works)

OpenPGP Key Policy

This document describes my OpenPGP Key Policy. I have two keys, detailed below. I use a two-part structure to make verification simpler: (i) A Certify-Only Certificate Authority Key and (ii) my daily-use personal Root Certificate Key certified by my CA. Any RC Key you receive from me will be CA certified by me.

Public-Key Server

Both keys are stored on KEYS.OPENPGP.ORG because I am able to establish an encrypted connection through which I can send, search for, or download public-keys. After all, you never know who may be trying to actively “sniff” your traffic…

Certificate Authority Key: Certify-Only

key 0x1830D0BB8946DB4B, 8192-bit RSA, Created 2013-04-02

uid CERTIFICATE AUTHORITY (2013-04-01 | Certificate Authority | AJF) <Adrian John Feliciano>

fin D556 5D13 0CFC 3B92 4823 7C9F 1830 D0BB 8946 DB4B

This is my highest-security key and is used only to certify other Root-Certificates that I create for my day to day use or, in its capacity as a Certificate Authority, for Root-Certificates I create for people that I highly-trust. It serves no other purpose.

The key was created using a live USB-key operating-system on a computer that has been physically unplugged from a router that has, itself, been unplugged from power. It is secured with a 64 character, randomly-generated ASCII passphrase. I will never, ever, actually know this password. It’s too long, and complicated for me to ever try and write down on a Post-It note, or attempt to memorize it.

The key, revocation certificate, and backups are zipped together and the resulting file has been hashed with SHA512encrypted with AES256 and stored on 2 encrypted DVDs stored off-site with a trusted friend, as well as on an encrypted thumb-drive. There are also two paper-printouts of the key and revocation certificate. One printout filed in a fire-box, and the other at my bank.

Yes, it is highly-secure. You may consider this key to be the equivalent of a “signature guarantee.”

Root Certificate Key: Encrypted Email and Digital-Signatures

key 0x28C49CF13F2479F6, 8192-bit RSA, Created 2013-04-02

uid Adrian John Feliciano (2013-04-01 | Root Certificate | AJF) <Issued by CA 0x1830D0BB8946DB4B>

fin 9733 128C F0BE AEC5 5737 3FC9 28C4 9CF1 3F24 79F6

The Root Certificate Key is the key through which my Web of Trust is built and maintained; therefore, in addition to encryption and digital-signatures, it can certify other keys.

This is my daily-use key and currently binds several email addresses. It’s issued by, and certified with, my Certificate Authority Key and will expire when I revoke it, or any of its sub-keys. It was created in the same manner as the CA Key, described above. Once signed by the CA Key, it’s transferred to the laptop for daily use; the backup is then encrypted, and stored in the same manner as the CA Key.

In the unlikely event this RC Key is compromised, its CA certification will be revoked, and the key, itself, will be revoked. In addition to revoking the key, I will immediately issue a new RC Key, CA certified by me, and send a follow up with an email to everyone who signed the old key to inform them of the revocation, as well as to present the new key for them to sign.

How to Contact Me Securely

If you wish to communicate with me securely, you’ll need to create your own set of OpenPGP keys so that you can use my RC’s public key to encrypt your message to me.

There are desktop apps and smartphone apps that support in-app key-generation:

  • OpenPGP – OpenPGP is a non-proprietary protocol for digitally-signing and/or encrypting email and/or digital files using public key cryptography.
  • Gnupg – A fully compatible, open-source implementation of the OpenPGP standard.
  • GpgTools – Free GPG for Mac OS X.
  • Gpg4win – Free GPG for Windows.
  • iPGMail – $2 iOS app that supports key-generation.
  • Open Keychain – Free Android app, open-sourced and independently audited for security by Cure53.
  • Enigmail – A free add on to Mozilla’s Thunderbird email client, cross platform compatible.

You can find a current list of OpenPGP compatible applications for different platforms, web-browser extensions, and email service providers on OpenPGP.org’s website.

Please understand that any email coming from my email addresses that has been digitally signed or encrypted with key 0x28C49CF13F2479F (which you can verify using your own copy of OpenPGP) could only have come from me; unless my security measures fail catastrophically, I am the only one with physical-access to the key and its highly-secure password(s).

OpenPGP Keysigning Policy

I have a simple key-signing policy. I will only sign keys for people I know personally, at this time.

Credits

Keys were generated and portions of this key-policy were based on information from the following websites:

  • www.zugschlus.de/gpg-policy
  • www.apache.org/dev/openpgp.html
  • www.nsa.gov/ia/programs/suiteb_cryptography/
  • ekaia.org/blog/2009/05/10/creating-new-gpgkey/
  • en.wikipedia.org/wiki/NSA_Suite_B_Cryptography
  • www.gossamer-threads.com/lists/gnupg/users/52701
  • www.alexcabal.com/creating-the-perfect-gpg-keypair/
  • we.riseup.net/riseuplabs+paow/openpgp-best-practices
  • www.nas.nasa.gov/hecc/support/kb/Using-GPG-to-Encrypt-Your-Data_242.html
  • www.rubygems-openpgp-ca.org/blog/the-complete-guide-to-signing-the-certificate-authority-keys.html