Upload PGP Keys on distinct domains

[maltfield]

Is there an existing request for feature?

• I have searched the existing issues

What feature would you like?

This ticket is a request to:

1. Upload the Session Release-Signing PGP key onto multiple domains, and
2. Document how a user can verify the Session Release-Signing PGP key from multiple domains out-of-band when importing the key to their keyring for the first time (TOFU)

Why?

It's possible for a very powerful adversary to compromise your release infrastructure (or the infrastructure between the server and the client) and get a new session user to download a malicious version of the release, signature, and the release signing key -- but it's exponentially more difficult for them to compromise multiple distinct domains.

Remember: monero's release infrastructure has already been comprimised once. And here's a great list of historically relevant cases where this happened:

• https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises

Part One: Making key available out-of-band

SKS Keyservers

I found that I could obtain your key from Ubuntu's SKS Keyserver. This is great!

• https://keyserver.ubuntu.com/pks/lookup?search=kee%40oxen.io&fingerprint=on&op=index

Nothing to do here.

https://keys.openpgp.org/

keys.openpgp.org is a newer keyserver that doesn't sync with the others, and it strips UIDs and signatures by default for privacy and to resist certificate spamming attacks

Unfortunately, I could not search for your key on this server by email address because it looks like you've never verified the email address.

Please verify your email address by clicking the link sent to the uid of the key ([email protected]) as described here:

• https://keys.openpgp.org/about

Mastodon

Please add your public keys' full fingerprint (FC2821DE35BD839E93D3AE7650F7890BCDED90AB) to one of your Mastodon account's "profile fields" (eg a new field named "PGP" in addition to "Website", "Download", "Youtube", Odysee")

Twitter

Please add your public keys' full fingerprint (FC2821DE35BD839E93D3AE7650F7890BCDED90AB) to your twitter profile description

Instagram

Please add your public keys' full fingerprint (FC2821DE35BD839E93D3AE7650F7890BCDED90AB) to your instagram profile description

YouTube

Please add your public keys' full fingerprint (FC2821DE35BD839E93D3AE7650F7890BCDED90AB) to your YouTube profile description

Other domains

I do recommend adding your key to as many other domains as possible, including:

2. Your official keybase.io account
3. Any domains you own (eg getsession.org -- unless that's hosted by GitHub as that would provide zero additional benefits to the public key already hosted in the Git Repo)
4. Something else?

The more domains you upload it to, the better.

Part Two: Documenting it

After uploading your public key and/or full fingerprint to as many distinct domains as possible, please update the project's documentation to enumerate all of these locations and write a paragraph describing how the user can mitigate the risk of compromised infrastructure by cross-checking the integrity of the key across multiple domains.

Anything else?

No response

[KeeJef]

I have uploaded and verified our key at https://keys.openpgp.org/. We should also upload it to our website. Regarding other domains: Twitter doesn’t provide enough space for all the information I want to include, so I have added the fingerprint to Mastodon. However, I don't really use YouTube, Instagram, or Keybase.

We have some YouTube videos here on how to verify releases here , but we probably need to put together some documentation as well.

[maltfield]

Thanks!

Yeah, I definitely think text documentation takes priority over video documentation. It's more accessible.