~fd/rfc.ersei.net

3591c116e42c6baaf02e86ccaef2c3d52bd811da — Ersei Saggi 3 months ago 864dbf2
Draft of PGP key policy
3 files changed, 2035 insertions(+), 0 deletions(-)

A public/rfcs/2.html
A public/rfcs/2.txt
A src/2.xml
A public/rfcs/2.html => public/rfcs/2.html +1579 -0
@@ 0,0 1,1579 @@
<!DOCTYPE html>
<html lang="en" class="Ersei-Draft">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>[DRAFT] OpenPGP Key Policy</title>
<meta content="Ersei Saggi" name="author">
<meta content="
       This document describes the cryptographic methods and security precautions for Ersei
 Saggi's PGP keys, as well as their PGP signature policy. All keys signed by &quot;05D3
 E019 2231 9A75 86B4 B8D5 023F F4C1 A9D6 BAFD&quot; are subject to this policy, unless if
 this policy is updated as per  . 
    " name="description">
<meta content="xml2rfc 3.19.0" name="generator">
<meta content="draft-pgp-web-of-trust-key-policy" name="ietf.draft">
<!-- Generator version information:
  xml2rfc 3.19.0
    Python 3.11.7
    ConfigArgParse 1.7
    google-i18n-address 3.1.0
    intervaltree 3.1.0
    Jinja2 3.1.3
    lxml 4.9.4
    platformdirs 4.0.0
    pycountry 22.3.5
    PyYAML 6.0.1
    requests 2.31.0
    setuptools 69.0.2.post0
    six 1.16.0
    wcwidth 0.2.12
-->
<link href="src/2.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*

  NOTE: Changes at the bottom of this file overrides some earlier settings.

  Once the style has stabilized and has been adopted as an official RFC style,
  this can be consolidated so that style settings occur only in one place, but
  for now the contents of this file consists first of the initial CSS work as
  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
  commented changes found necessary during the development of the v3
  formatters.

*/

/* fonts */
/* @import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
/* @import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
/* @import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */

:root {
  --font-sans: 'Noto Sans', Arial, Helvetica, sans-serif;
  --font-serif: 'Noto Serif', 'Times', 'Times New Roman', serif;
  --font-mono: 'Roboto Mono', Courier, 'Courier New', monospace;
}

@viewport {
  zoom: 1;
}
@-ms-viewport {
  width: extend-to-zoom;
  zoom: 1;
}
/* general and mobile first */
html {
}
body {
  max-width: 90%;
  margin: 1.5em auto;
  color: #222;
  background-color: #fff;
  font-size: 14px;
  font-family: var(--font-sans);
  line-height: 1.6;
  scroll-behavior: smooth;
  overflow-wrap: break-word;
}
.ears {
  display: none;
}

/* headings */
#title,
h1,
h2,
h3,
h4,
h5,
h6 {
  margin: 1em 0 0.5em;
  font-weight: bold;
  line-height: 1.3;
}
#title {
  clear: both;
  border-bottom: 1px solid #ddd;
  margin: 0 0 0.5em 0;
  padding: 1em 0 0.5em;
}
.author {
  padding-bottom: 4px;
}
h1 {
  font-size: 26px;
  margin: 1em 0;
}
h2 {
  font-size: 22px;
  margin-top: -20px; /* provide offset for in-page anchors */
  padding-top: 33px;
}
h3 {
  font-size: 18px;
  margin-top: -36px; /* provide offset for in-page anchors */
  padding-top: 42px;
}
h4 {
  font-size: 16px;
  margin-top: -36px; /* provide offset for in-page anchors */
  padding-top: 42px;
}
h5,
h6 {
  font-size: 14px;
}
#n-copyright-notice {
  border-bottom: 1px solid #ddd;
  padding-bottom: 1em;
  margin-bottom: 1em;
}
/* general structure */
p {
  padding: 0;
  margin: 0 0 1em 0;
  text-align: left;
}
div,
span {
  position: relative;
}
div {
  margin: 0;
}
.alignRight.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignRight.art-text pre {
  padding: 0;
}
.alignRight {
  margin: 1em 0;
}
.alignRight > *:first-child {
  border: none;
  margin: 0;
  float: right;
  clear: both;
}
.alignRight > *:nth-child(2) {
  clear: both;
  display: block;
  border: none;
}
svg {
  display: block;
}
svg[font-family~='serif' i],
svg [font-family~='serif' i] {
  font-family: var(--font-serif);
}
svg[font-family~='sans-serif' i],
svg [font-family~='sans-serif' i] {
  font-family: var(--font-sans);
}
svg[font-family~='monospace' i],
svg [font-family~='monospace' i] {
  font-family: var(--font-mono);
}
.alignCenter.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
  padding: 0;
}
.alignCenter {
  margin: 1em 0;
}
.alignCenter > *:first-child {
  display: table;
  border: none;
  margin: 0 auto;
}

/* lists */
ol,
ul {
  padding: 0;
  margin: 0 0 1em 2em;
}
ol ol,
ul ul,
ol ul,
ul ol {
  margin-left: 1em;
}
li {
  margin: 0 0 0.25em 0;
}
.ulCompact li {
  margin: 0;
}
ul.empty,
.ulEmpty {
  list-style-type: none;
}
ul.empty li,
.ulEmpty li {
  margin-top: 0.5em;
}
ul.ulBare,
li.ulBare {
  margin-left: 0em !important;
}
ul.compact,
.ulCompact,
ol.compact,
.olCompact {
  line-height: 100%;
  margin: 0 0 0 2em;
}

/* definition lists */
dl {
}
dl > dt {
  float: left;
  margin-right: 1em;
}
/* 
dl.nohang > dt {
  float: none;
}
*/
dl > dd {
  margin-bottom: 0.8em;
  min-height: 1.3em;
}
dl.compact > dd,
.dlCompact > dd {
  margin-bottom: 0em;
}
dl > dd > dl {
  margin-top: 0.5em;
  margin-bottom: 0em;
}

/* links */
a {
  text-decoration: none;
}
a[href] {
  color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
  background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef,
.iref + a[href].internal {
  color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
  background-color: transparent;
  cursor: default;
} */

/* Figures */
tt,
code,
pre {
  background-color: #f9f9f9;
  font-family: var(--font-mono);
}
pre {
  border: 1px solid #eee;
  margin: 0;
  padding: 1em;
}
img {
  max-width: 100%;
}
figure {
  margin: 0;
}
figure blockquote {
  margin: 0.8em 0.4em 0.4em;
}
figcaption {
  font-style: italic;
  margin: 0 0 1em 0;
}
@media screen {
  pre {
    overflow-x: auto;
    max-width: 100%;
    max-width: calc(100% - 22px);
  }
}

/* aside, blockquote */
aside,
blockquote {
  margin-left: 0;
  padding: 1.2em 2em;
}
blockquote {
  background-color: #f9f9f9;
  color: #111; /* Arlen: WCAG 2019 */
  border: 1px solid #ddd;
  border-radius: 3px;
  margin: 1em 0;
}
blockquote > *:last-child {
  margin-bottom: 0;
}
cite {
  display: block;
  text-align: right;
  font-style: italic;
}

/* tables */
table {
  width: 100%;
  margin: 0 0 1em;
  border-collapse: collapse;
  border: 1px solid #eee;
}
th,
td {
  text-align: left;
  vertical-align: top;
  padding: 0.5em 0.75em;
}
th {
  text-align: left;
  background-color: #e9e9e9;
}
tr:nth-child(2n + 1) > td {
  background-color: #f5f5f5;
}
table caption {
  font-style: italic;
  margin: 0;
  padding: 0;
  text-align: left;
}
table p {
  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
     be allowed within tables more generally, it would be far better to select on a class. */
  margin: 0;
}

/* pilcrow */
a.pilcrow {
  color: #666; /* Arlen: AHDJ 2019 */
  text-decoration: none;
  visibility: hidden;
  user-select: none;
  -ms-user-select: none;
  -o-user-select: none;
  -moz-user-select: none;
  -khtml-user-select: none;
  -webkit-user-select: none;
  -webkit-touch-callout: none;
}
@media screen {
  aside:hover > a.pilcrow,
  p:hover > a.pilcrow,
  blockquote:hover > a.pilcrow,
  div:hover > a.pilcrow,
  li:hover > a.pilcrow,
  pre:hover > a.pilcrow {
    visibility: visible;
  }
  a.pilcrow:hover {
    background-color: transparent;
  }
}

/* misc */
hr {
  border: 0;
  border-top: 1px solid #eee;
}
.bcp14 {
  font-variant: small-caps;
}

.role {
  font-variant: all-small-caps;
}

/* info block */
#identifiers {
  margin: 0;
  font-size: 0.9em;
}
#identifiers dt {
  width: 3em;
  clear: left;
}
#identifiers dd {
  float: left;
  margin-bottom: 0;
}
/* Fix PDF info block run off issue */
@media print {
  #identifiers dd {
    float: none;
  }
}
#identifiers .authors .author {
  display: inline-block;
  margin-right: 1.5em;
}
#identifiers .authors .org {
  font-style: italic;
}

/* The prepared/rendered info at the very bottom of the page */
.docInfo {
  color: #666; /* Arlen: WCAG 2019 */
  font-size: 0.9em;
  font-style: italic;
  margin-top: 2em;
}
.docInfo .prepared {
  float: left;
}
.docInfo .prepared {
  float: right;
}

/* table of contents */
#toc {
  padding: 0.75em 0 2em 0;
  margin-bottom: 1em;
}
nav.toc ul {
  margin: 0 0.5em 0 0;
  padding: 0;
  list-style: none;
}
nav.toc li {
  line-height: 1.3em;
  margin: 0.75em 0;
  padding-left: 1.2em;
  text-indent: -1.2em;
}
/* references */
.references dt {
  text-align: right;
  font-weight: bold;
  min-width: 7em;
}
.references dd {
  margin-left: 8em;
  overflow: auto;
}

.refInstance {
  margin-bottom: 1.25em;
}

.references .ascii {
  margin-bottom: 0.25em;
}

/* index */
.index ul {
  margin: 0 0 0 1em;
  padding: 0;
  list-style: none;
}
.index ul ul {
  margin: 0;
}
.index li {
  margin: 0;
  text-indent: -2em;
  padding-left: 2em;
  padding-bottom: 5px;
}
.indexIndex {
  margin: 0.5em 0 1em;
}
.index a {
  font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
  .index ul {
    -moz-column-count: 2;
    -moz-column-gap: 20px;
  }
  .index ul ul {
    -moz-column-count: 1;
    -moz-column-gap: 0;
  }
}

/* authors */
address.vcard {
  font-style: normal;
  margin: 1em 0;
}

address.vcard .nameRole {
  font-weight: 700;
  margin-left: 0;
}
address.vcard .label {
  font-family: var(--font-sans);
  margin: 0.5em 0;
}
address.vcard .type {
  display: none;
}
.alternative-contact {
  margin: 1.5em 0 1em;
}
hr.addr {
  border-top: 1px dashed;
  margin: 0;
  color: #ddd;
  max-width: calc(100% - 16px);
}

/* temporary notes */
.rfcEditorRemove::before {
  position: absolute;
  top: 0.2em;
  right: 0.2em;
  padding: 0.2em;
  content: 'The RFC Editor will remove this note';
  color: #9e2a00; /* Arlen: WCAG 2019 */
  background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
  position: relative;
  padding-top: 1.8em;
  background-color: #ffd; /* Arlen: WCAG 2019 */
  border-radius: 3px;
}
.cref {
  background-color: #ffd; /* Arlen: WCAG 2019 */
  padding: 2px 4px;
}
.crefSource {
  font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
  body {
    padding-top: 2em;
  }
  #title {
    padding: 1em 0;
  }
  h1 {
    font-size: 24px;
  }
  h2 {
    font-size: 20px;
    margin-top: -18px; /* provide offset for in-page anchors */
    padding-top: 38px;
  }
  #identifiers dd {
    max-width: 60%;
  }
  #toc {
    position: fixed;
    z-index: 2;
    top: 0;
    right: 0;
    padding: 0;
    margin: 0;
    background-color: inherit;
    border-bottom: 1px solid #ccc;
  }
  #toc h2 {
    margin: -1px 0 0 0;
    padding: 4px 0 4px 6px;
    padding-right: 1em;
    min-width: 190px;
    font-size: 1.1em;
    text-align: right;
    background-color: #444;
    color: white;
    cursor: pointer;
  }
  #toc h2::before {
    /* css hamburger */
    float: right;
    position: relative;
    width: 1em;
    height: 1px;
    left: -164px;
    margin: 6px 0 0 0;
    background: white none repeat scroll 0 0;
    box-shadow:
      0 4px 0 0 white,
      0 8px 0 0 white;
    content: '';
  }
  #toc nav {
    display: none;
    padding: 0.5em 1em 1em;
    overflow: auto;
    height: calc(100vh - 48px);
    border-left: 1px solid #ddd;
  }
}

/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
  body {
    max-width: 724px;
    margin: 42px auto;
    padding-left: 1.5em;
    padding-right: 29em;
  }
  #toc {
    position: fixed;
    top: 42px;
    right: 42px;
    width: 25%;
    margin: 0;
    padding: 0 1em;
    z-index: 1;
  }
  #toc h2 {
    border-top: none;
    border-bottom: 1px solid #ddd;
    font-size: 1em;
    font-weight: normal;
    margin: 0;
    padding: 0.25em 1em 1em 0;
  }
  #toc nav {
    display: block;
    height: calc(90vh - 84px);
    bottom: 0;
    padding: 0.5em 0 0;
    overflow: auto;
  }
  img {
    /* future proofing */
    max-width: 100%;
    height: auto;
  }
}

/* pagination */
@media print {
  body {
    width: 100%;
  }
  p {
    orphans: 3;
    widows: 3;
  }
  #n-copyright-notice {
    border-bottom: none;
  }
  #toc,
  #n-introduction {
    page-break-before: always;
  }
  #toc {
    border-top: none;
    padding-top: 0;
  }
  figure,
  pre {
    page-break-inside: avoid;
  }
  figure {
    overflow: scroll;
  }
  .breakable pre {
    break-inside: auto;
  }
  h1,
  h2,
  h3,
  h4,
  h5,
  h6 {
    page-break-after: avoid;
  }
  h2 + *,
  h3 + *,
  h4 + *,
  h5 + *,
  h6 + * {
    page-break-before: avoid;
  }
  pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    font-size: 10pt;
  }
  table {
    border: 1px solid #ddd;
  }
  td {
    border-top: 1px solid #ddd;
  }
}

/* This is commented out here, as the string-set: doesn't
   pass W3C validation currently */
/*
.ears thead .left {
  string-set: ears-top-left content();
}

.ears thead .center {
  string-set: ears-top-center content();
}

.ears thead .right {
  string-set: ears-top-right content();
}

.ears tfoot .left {
  string-set: ears-bottom-left content();
}

.ears tfoot .center {
  string-set: ears-bottom-center content();
}

.ears tfoot .right {
  string-set: ears-bottom-right content();
}
*/

@page :first {
  padding-top: 0;
  @top-left {
    content: normal;
    border: none;
  }
  @top-center {
    content: normal;
    border: none;
  }
  @top-right {
    content: normal;
    border: none;
  }
}

@page {
  size: A4;
  margin-bottom: 45mm;
  padding-top: 20px;
  /* The following is commented out here, but set appropriately by in code, as
     the content depends on the document */
  /*
  @top-left {
    content: 'Internet-Draft';
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-left {
    content: string(ears-top-left);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-center {
    content: string(ears-top-center);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-right {
    content: string(ears-top-right);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @bottom-left {
    content: string(ears-bottom-left);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-center {
    content: string(ears-bottom-center);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-right {
      content: '[Page ' counter(page) ']';
      vertical-align: top;
      border-top: solid 1px #ccc;
  }
  */
}

/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
  z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
  clear: both;
}

/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
  vertical-align: top;
}

/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
  width: 8em;
}

/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
  margin-left: 1em;
}

/* Give floating toc a background color (needed when it's a div inside section */
#toc {
  background-color: white;
}

/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
  #toc h2 a,
  #toc h2 a:link,
  #toc h2 a:focus,
  #toc h2 a:hover,
  #toc a.toplink,
  #toc a.toplink:hover {
    color: white;
    background-color: #444;
    text-decoration: none;
  }
}

/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
  #toc {
    padding: 0 0 1em 1em;
  }
}

/* Style section numbers with more space between number and title */
.section-number {
  padding-right: 0.5em;
}

/* prevent monospace from becoming overly large */
tt,
code,
pre {
  font-size: 95%;
}

/* Fix the height/width aspect for ascii art*/
.sourcecode pre,
.art-text pre {
  line-height: 1.12;
}

/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
  float: right;
  margin-right: 0.5em;
}

/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
  float: left;
  margin-right: 1em;
}
dl.dlNewline > dt {
  float: none;
}

/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
  text-align: left;
}
table td.text-center,
table th.text-center {
  text-align: center;
}
table td.text-right,
table th.text-right {
  text-align: right;
}

/* Make the alternative author contact information look less like just another
   author, and group it closer with the primary author contact information */
.alternative-contact {
  margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
  margin: 0 0 0 2em;
}

/* With it being possible to set tables with alignment
  left, center, and right, { width: 100%; } does not make sense */
table {
  width: auto;
}

/* Avoid reference text that sits in a block with very wide left margin,
   because of a long floating dt label.*/
.references dd {
  overflow: visible;
}

/* Control caption placement */
caption {
  caption-side: bottom;
}

/* Limit the width of the author address vcard, so names in right-to-left
   script don't end up on the other side of the page. */

address.vcard {
  max-width: 30em;
  margin-right: auto;
}

/* For address alignment dependent on LTR or RTL scripts */
address div.left {
  text-align: left;
}
address div.right {
  text-align: right;
}

/* Provide table alignment support.  We can't use the alignX classes above
   since they do unwanted things with caption and other styling. */
table.right {
  margin-left: auto;
  margin-right: 0;
}
table.center {
  margin-left: auto;
  margin-right: auto;
}
table.left {
  margin-left: 0;
  margin-right: auto;
}

/* Give the table caption label the same styling as the figcaption */
caption a[href] {
  color: #222;
}

@media print {
  .toplink {
    display: none;
  }

  /* avoid overwriting the top border line with the ToC header */
  #toc {
    padding-top: 1px;
  }

  /* Avoid page breaks inside dl and author address entries */
  .vcard {
    page-break-inside: avoid;
  }
}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
  font-variant: small-caps;
  font-weight: bold;
  font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
h2 {
  margin-top: -18px; /* provide offset for in-page anchors */
  padding-top: 31px;
}
h3 {
  margin-top: -18px; /* provide offset for in-page anchors */
  padding-top: 24px;
}
h4 {
  margin-top: -18px; /* provide offset for in-page anchors */
  padding-top: 24px;
}
/* Float artwork pilcrow to the right */
@media screen {
  .artwork a.pilcrow {
    display: block;
    line-height: 0.7;
    margin-top: 0.15em;
  }
}
/* Make pilcrows on dd visible */
@media screen {
  dd:hover > a.pilcrow {
    visibility: visible;
  }
}
/* Make the placement of figcaption match that of a table's caption
   by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
  margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
  margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
   possibly even requiring a new line */
@media print {
  a.pilcrow {
    display: none;
  }
}
/* Styling for the external metadata */
div#external-metadata {
  background-color: #eee;
  padding: 0.5em;
  margin-bottom: 0.5em;
  display: none;
}
div#internal-metadata {
  padding: 0.5em; /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
  clear: both;
  margin: 0 0 -1em;
  padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
  margin-bottom: 0.25em;
  min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
  border-left: 1px solid #ddd;
  margin: 1em 0 1em 2em;
  padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
  margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
  figcaption,
  table caption {
    page-break-before: avoid;
  }
}
/* Font size adjustments for print */
@media print {
  body {
    font-size: 10pt;
    line-height: normal;
    max-width: 96%;
  }
  h1 {
    font-size: 1.72em;
    padding-top: 1.5em;
  } /* 1*1.2*1.2*1.2 */
  h2 {
    font-size: 1.44em;
    padding-top: 1.5em;
  } /* 1*1.2*1.2 */
  h3 {
    font-size: 1.2em;
    padding-top: 1.5em;
  } /* 1*1.2 */
  h4 {
    font-size: 1em;
    padding-top: 1.5em;
  }
  h5,
  h6 {
    font-size: 1em;
    margin: initial;
    padding: 0.5em 0 0.3em;
  }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
  .artwork,
  .artwork > pre,
  .sourcecode {
    margin-bottom: 1em;
  }
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
  min-width: 20em;
}
/* ol type a */
ol.type-a {
  list-style-type: lower-alpha;
}
ol.type-A {
  list-style-type: upper-alpha;
}
ol.type-i {
  list-style-type: lower-roman;
}
ol.type-I {
  list-style-type: lower-roman;
}
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background slightly */
table {
  border: 1px solid #ddd;
}
td {
  border-top: 1px solid #ddd;
}
tr {
  break-inside: avoid;
}
tr:nth-child(2n + 1) > td {
  background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
  #toc nav {
    display: none;
  }
  #toc.active nav {
    display: block;
  }
}
/* Add support for keepWithNext */
.keepWithNext {
  break-after: avoid-page;
  break-after: avoid-page;
}
/* Add support for keepWithPrevious */
.keepWithPrevious {
  break-before: avoid-page;
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure,
pre,
table,
.artwork,
.sourcecode {
  break-before: auto;
  break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
dl {
  break-before: auto;
  break-inside: auto;
}
dt {
  break-before: auto;
  break-after: avoid-page;
}
dd {
  break-before: avoid-page;
  break-after: auto;
  orphans: 3;
  widows: 3;
}
span.break,
dd.break {
  margin-bottom: 0;
  min-height: 0;
  break-before: auto;
  break-inside: auto;
  break-after: auto;
}
/* Undo break-before ToC */
@media print {
  #toc {
    break-before: auto;
  }
}
/* Text in compact lists should not get extra bottom margin space,
   since that would makes the list not compact */
ul.compact p,
.ulCompact p,
ol.compact p,
.olCompact p {
  margin: 0;
}
/* But the list as a whole needs the extra space at the end */
section ul.compact,
section .ulCompact,
section ol.compact,
section .olCompact {
  margin-bottom: 1em; /* same as p not within ul.compact etc. */
}
/* The tt and code background above interferes with for instance table cell
   backgrounds.  Changed to something a bit more selective. */
tt,
code {
  background-color: transparent;
}
p tt,
p code,
li tt,
li code {
  background-color: #f8f8f8;
}
/* Tweak the pre margin -- 0px doesn't come out well */
pre {
  margin-top: 0.5px;
}
/* Tweak the compact list text */
ul.compact,
.ulCompact,
ol.compact,
.olCompact,
dl.compact,
.dlCompact {
  line-height: normal;
}
/* Don't add top margin for nested lists */
li > ul,
li > ol,
li > dl,
dd > ul,
dd > ol,
dd > dl,
dl > dd > dl {
  margin-top: initial;
}
/* Elements that should not be rendered on the same line as a <dt> */
/* This should match the element list in writer.text.TextWriter.render_dl() */
dd > div.artwork:first-child,
dd > aside:first-child,
dd > figure:first-child,
dd > ol:first-child,
dd > div.sourcecode:first-child,
dd > table:first-child,
dd > ul:first-child {
  clear: left;
}
/* fix for weird browser behaviour when <dd/> is empty */
dt + dd:empty::before {
  content: '\00a0';
}
/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
li > p {
  margin-bottom: 0.5em;
}
/* Don't let p margin spill out from inside list items */
li > p:last-of-type:only-child {
  margin-bottom: 0;
}
</style>
<script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
</head>
<body class="xml2rfc">
<script src="metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left"></td>
<td class="center">Draft: OpenPGP Key Policy</td>
<td class="right">February 2024</td>
</tr></thead>
<tfoot><tr>
<td class="left">Saggi</td>
<td class="center">Informational</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">Ersei Working Group</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2024-02-01" class="published">1 February 2024</time>
    </dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
      <div class="author-name">E. Saggi, <span class="editor">Ed.</span>
</div>
<div class="org">Ersei.net</div>
</div>
</dd>
</dl>
</div>
<h1 id="title">[DRAFT] OpenPGP Key Policy</h1>
<section id="section-abstract">
      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">This document describes the cryptographic methods and security precautions for Ersei
 Saggi's PGP keys, as well as their PGP signature policy. All keys signed by "05D3
 E019 2231 9A75 86B4 B8D5 023F F4C1 A9D6 BAFD" are subject to this policy, unless if
 this policy is updated as per <a href="#s_rfc_validation" class="internal xref">RFC Validation</a>.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="toc">
<section id="section-toc.1">
        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
        </h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="auto internal xref">1</a>.  <a href="#name-introduction" class="internal xref">Introduction</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.1">
                <p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="auto internal xref">1.1</a>.  <a href="#name-requirements-language" class="internal xref">Requirements Language</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.2">
                <p id="section-toc.1-1.1.2.2.1" class="keepWithNext"><a href="#section-1.2" class="auto internal xref">1.2</a>.  <a href="#name-keys" class="internal xref">Keys</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
            <p id="section-toc.1-1.2.1"><a href="#section-2" class="auto internal xref">2</a>.  <a href="#name-certification-requirements" class="internal xref">Certification Requirements</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
            <p id="section-toc.1-1.3.1"><a href="#section-3" class="auto internal xref">3</a>.  <a href="#name-legal-entity-validation" class="internal xref">Legal Entity Validation</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
            <p id="section-toc.1-1.4.1"><a href="#section-4" class="auto internal xref">4</a>.  <a href="#name-name-change-policy" class="internal xref">Name Change Policy</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
            <p id="section-toc.1-1.5.1"><a href="#section-5" class="auto internal xref">5</a>.  <a href="#name-key-signing-process" class="internal xref">Key Signing Process</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
            <p id="section-toc.1-1.6.1"><a href="#section-6" class="auto internal xref">6</a>.  <a href="#name-key-security" class="internal xref">Key Security</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
            <p id="section-toc.1-1.7.1"><a href="#section-7" class="auto internal xref">7</a>.  <a href="#name-rfc-validation" class="internal xref">RFC Validation</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
            <p id="section-toc.1-1.8.1"><a href="#section-8" class="auto internal xref">8</a>.  <a href="#name-references" class="internal xref">References</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1">
                <p id="section-toc.1-1.8.2.1.1"><a href="#section-8.1" class="auto internal xref">8.1</a>.  <a href="#name-normative-references" class="internal xref">Normative References</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
            <p id="section-toc.1-1.9.1"><a href="#appendix-A" class="auto internal xref"></a><a href="#name-contributors" class="internal xref">Contributors</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
            <p id="section-toc.1-1.10.1"><a href="#appendix-B" class="auto internal xref"></a><a href="#name-authors-address" class="internal xref">Author's Address</a></p>
</li>
        </ul>
</nav>
</section>
</div>
<section id="section-1">
      <h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
      </h2>
<section id="section-1.1">
        <h3 id="name-requirements-language">
<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-requirements-language" class="section-name selfRef">Requirements Language</a>
        </h3>
<p id="section-1.1-1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
 "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in IETF BCP 14 <span>[<a href="#RFC2119" class="cite xref">RFC2119</a>]</span>
          <span>[<a href="#RFC8174" class="cite xref">RFC8174</a>]</span> when, and only when, they appear in all capitals, as
 shown here.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
</section>
<section id="section-1.2">
        <h3 id="name-keys">
<a href="#section-1.2" class="section-number selfRef">1.2. </a><a href="#name-keys" class="section-name selfRef">Keys</a>
        </h3>
<p id="section-1.2-1">All keys may use this policy, unless a subsequent policy has been published at
 the policy URL.<a href="#section-1.2-1" class="pilcrow">¶</a></p>
</section>
</section>
<div id="s_certification_requirements">
<section id="section-2">
      <h2 id="name-certification-requirements">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-certification-requirements" class="section-name selfRef">Certification Requirements</a>
      </h2>
<p id="section-2-1">The name of a given individual (that is, the personal identifier which they prefer to
 be referred to by) should be based on what the individual desires to be called,
 insofar as the individual's desire is not in an attempt to defraud or confuse.<a href="#section-2-1" class="pilcrow">¶</a></p>
<p id="section-2-2">Individual validations are not strictly performed on the basis of legal identity. In
 contrast, organizational/group validations will be performed on the basis of control
 over a given entity's existing presence.<a href="#section-2-2" class="pilcrow">¶</a></p>
<p id="section-2-3">All validations confirm that the user at a given e-mail address maintains the private
 key which has been signed.<a href="#section-2-3" class="pilcrow">¶</a></p>
<table class="center" id="table-1">
        <caption><a href="#table-1" class="selfRef">Table 1</a></caption>
<thead>
          <tr>
            <th class="text-left" rowspan="1" colspan="1">Type</th>
            <th class="text-left" rowspan="1" colspan="1">Definition</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">sig0: Undefined</td>
            <td class="text-left" rowspan="1" colspan="1">Signatures MUST NOT issued at this level under this
 policy.</td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">sig1: Basic</td>
            <td class="text-left" rowspan="1" colspan="1">A reasonable belief the key is held by the listed entity on the
 basis of interaction. The validation is entirely
 contextual; in person interaction is OPTIONAL.
 </td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">sig2: Medium</td>
            <td class="text-left" rowspan="1" colspan="1">Physically MUST meet the individual (or, in the instance of an
 organization/group, an empowered representative of the group) and MUST
 confirm their PGP fingerprint with them. Furthermore, one of the
 following MUST be verified:

 The identifier matches their legal name on at least one legal document
 issued by a recognized entity;

 The identifier matches the name that is used on a day-to-day basis;

 In the instance of organizations, they are capable of demonstrating
 control over organizational resources in a manner that only an empowered
 member would be able to perform.</td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">sig3: Strong</td>
            <td class="text-left" rowspan="1" colspan="1">In addition to the requirements for sig2 validation, one of the
 following MUST be true:

 The identifier MUST match their legal name on at least two legal
 documents, issued by at least two valid distinct legal entities;
 Personally know the individual by the listed identifier for at
 least a six month period, during which they MUST have used it as a
 primary active identifier;

 In the instance of organizations, the representative MUST have be
 publicly identifiable as a reasonably empowered organizational
 representative for a period of at least 1 month.</td>
          </tr>
        </tbody>
      </table>
</section>
</div>
<section id="section-3">
      <h2 id="name-legal-entity-validation">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-legal-entity-validation" class="section-name selfRef">Legal Entity Validation</a>
    </h2>
</section>
<section id="section-4">
      <h2 id="name-name-change-policy">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-name-change-policy" class="section-name selfRef">Name Change Policy</a>
      </h2>
<p id="section-4-1">In the event of a name change (and thus a UID change), the previously-valid
 signatures will no longer be valid. In this situation, the owners of the signed keys
 MAY request a new signature through a secure channel (if digital, the message MUST
 be signed with the previous key). The new signature is again subject to <a href="#s_certification_requirements" class="internal xref">Certification Requirements</a>.<a href="#section-4-1" class="pilcrow">¶</a></p>
</section>
<section id="section-5">
      <h2 id="name-key-signing-process">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-key-signing-process" class="section-name selfRef">Key Signing Process</a>
    </h2>
</section>
<section id="section-6">
      <h2 id="name-key-security">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-key-security" class="section-name selfRef">Key Security</a>
      </h2>
<p id="section-6-1">All keys described in this document were generated on internet-connected
 consumer-grade hardware running exclusively free software (but not firmware). All
 keys are stored on a Yubikey 5 configured to use PIN authentication for all
 sessions, as well as a confirmation push for all operations. All pins are memorized
 and not stored.<a href="#section-6-1" class="pilcrow">¶</a></p>
<p id="section-6-2">There is a backup Yubikey 5 that contains the same key material in the event of loss.
 An encrypted backup is made of the private key material and is stored in an
 encrypted password manager that syncs to a private Bitwarden instance, which has
 further encrypted backups made.<a href="#section-6-2" class="pilcrow">¶</a></p>
<p id="section-6-3">In the event of suspected theft of the main key, revocations certificates MUST be
 issued.<a href="#section-6-3" class="pilcrow">¶</a></p>
<p id="section-6-4">In the event a key is being retired, replaced, or otherwise superseded while not
 being compromised, a revocation certificate will be generated that details the
 supersession as well as the fingerprint of the new key. The new key MUST have equal
 or greater security measures in place.<a href="#section-6-4" class="pilcrow">¶</a></p>
</section>
<div id="s_rfc_validation">
<section id="section-7">
      <h2 id="name-rfc-validation">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-rfc-validation" class="section-name selfRef">RFC Validation</a>
      </h2>
<p id="section-7-1">In the event of a takeover, misconfiguration of this policy document, or paranoia, it
 may be necessary to verify authorship of this RFC. This document is generated from
 sources residing at the Git repository <a href="https://git.sr.ht/~fd/rfc.ersei.net">git.sr.ht/~fd/rfc.ersei.net</a>.
 All commits made to that repository MUST be signed and SHOULD be verified.<a href="#section-7-1" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-8">
      <h2 id="name-references">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-references" class="section-name selfRef">References</a>
      </h2>
<section id="section-8.1">
        <h3 id="name-normative-references">
<a href="#section-8.1" class="section-number selfRef">8.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
        </h3>
<dl class="references">
<dt id="RFC2119">[RFC2119]</dt>
        <dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8174">[RFC8174]</dt>
        <dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
<dd class="break"></dd></dl>
</section>
</section>
<div id="Contributors">
<section id="appendix-A">
      <h2 id="name-contributors">
<a href="#name-contributors" class="section-name selfRef">Contributors</a>
      </h2>
<p id="appendix-A-1">Thanks to all of the contributors.<a href="#appendix-A-1" class="pilcrow">¶</a></p>
<p id="appendix-A-2">Based on <a href="https://igloo.to/keypolicy.txt.asc">Slater's keysigning policy</a>
 .<a href="#appendix-A-2" class="pilcrow">¶</a></p>
<p id="appendix-A-3">Contribute at <a href="https://git.sr.ht/~fd/rfc.ersei.net">
 git.sr.ht/~fd/rfc.ersei.net</a>.<a href="#appendix-A-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="appendix-B">
      <h2 id="name-authors-address">
<a href="#name-authors-address" class="section-name selfRef">Author's Address</a>
      </h2>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Ersei Saggi (<span class="role">editor</span>)</span></div>
<div dir="auto" class="left"><span class="org">Ersei.net</span></div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
  toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
  toc.classList.remove("active");
});
</script>
</body>
</html>

A public/rfcs/2.txt => public/rfcs/2.txt +280 -0
@@ 0,0 1,280 @@




Ersei Working Group                                        E. Saggi, Ed.
                                                               Ersei.net
                                                         1 February 2024


                       [DRAFT] OpenPGP Key Policy
                   draft-pgp-web-of-trust-key-policy

Abstract

   This document describes the cryptographic methods and security
   precautions for Ersei Saggi's PGP keys, as well as their PGP
   signature policy.  All keys signed by "05D3 E019 2231 9A75 86B4 B8D5
   023F F4C1 A9D6 BAFD" are subject to this policy, unless if this
   policy is updated as per RFC Validation.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   1
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   1
     1.2.  Keys  . . . . . . . . . . . . . . . . . . . . . . . . . .   1
   2.  Certification Requirements  . . . . . . . . . . . . . . . . .   2
   3.  Legal Entity Validation . . . . . . . . . . . . . . . . . . .   3
   4.  Name Change Policy  . . . . . . . . . . . . . . . . . . . . .   4
   5.  Key Signing Process . . . . . . . . . . . . . . . . . . . . .   4
   6.  Key Security  . . . . . . . . . . . . . . . . . . . . . . . .   4
   7.  RFC Validation  . . . . . . . . . . . . . . . . . . . . . . .   4
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
   Contributors  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   IETF BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in
   all capitals, as shown here.

1.2.  Keys

   All keys may use this policy, unless a subsequent policy has been
   published at the policy URL.





Saggi                         Informational                     [Page 1]

                        Draft: OpenPGP Key Policy          February 2024


2.  Certification Requirements

   The name of a given individual (that is, the personal identifier
   which they prefer to be referred to by) should be based on what the
   individual desires to be called, insofar as the individual's desire
   is not in an attempt to defraud or confuse.

   Individual validations are not strictly performed on the basis of
   legal identity.  In contrast, organizational/group validations will
   be performed on the basis of control over a given entity's existing
   presence.

   All validations confirm that the user at a given e-mail address
   maintains the private key which has been signed.





































Saggi                         Informational                     [Page 2]

                        Draft: OpenPGP Key Policy          February 2024


    +===========+====================================================+
    | Type      | Definition                                         |
    +===========+====================================================+
    | sig0:     | Signatures MUST NOT issued at this level under     |
    | Undefined | this policy.                                       |
    +-----------+----------------------------------------------------+
    | sig1:     | A reasonable belief the key is held by the listed  |
    | Basic     | entity on the basis of interaction.  The           |
    |           | validation is entirely contextual; in person       |
    |           | interaction is OPTIONAL.                           |
    +-----------+----------------------------------------------------+
    | sig2:     | Physically MUST meet the individual (or, in the    |
    | Medium    | instance of an organization/group, an empowered    |
    |           | representative of the group) and MUST confirm      |
    |           | their PGP fingerprint with them.  Furthermore, one |
    |           | of the following MUST be verified: The identifier  |
    |           | matches their legal name on at least one legal     |
    |           | document issued by a recognized entity; The        |
    |           | identifier matches the name that is used on a day- |
    |           | to-day basis; In the instance of organizations,    |
    |           | they are capable of demonstrating control over     |
    |           | organizational resources in a manner that only an  |
    |           | empowered member would be able to perform.         |
    +-----------+----------------------------------------------------+
    | sig3:     | In addition to the requirements for sig2           |
    | Strong    | validation, one of the following MUST be true: The |
    |           | identifier MUST match their legal name on at least |
    |           | two legal documents, issued by at least two valid  |
    |           | distinct legal entities; Personally know the       |
    |           | individual by the listed identifier for at least a |
    |           | six month period, during which they MUST have used |
    |           | it as a primary active identifier; In the instance |
    |           | of organizations, the representative MUST have be  |
    |           | publicly identifiable as a reasonably empowered    |
    |           | organizational representative for a period of at   |
    |           | least 1 month.                                     |
    +-----------+----------------------------------------------------+

                                 Table 1

3.  Legal Entity Validation










Saggi                         Informational                     [Page 3]

                        Draft: OpenPGP Key Policy          February 2024


4.  Name Change Policy

   In the event of a name change (and thus a UID change), the
   previously-valid signatures will no longer be valid.  In this
   situation, the owners of the signed keys MAY request a new signature
   through a secure channel (if digital, the message MUST be signed with
   the previous key).  The new signature is again subject to
   Certification Requirements.

5.  Key Signing Process

6.  Key Security

   All keys described in this document were generated on internet-
   connected consumer-grade hardware running exclusively free software
   (but not firmware).  All keys are stored on a Yubikey 5 configured to
   use PIN authentication for all sessions, as well as a confirmation
   push for all operations.  All pins are memorized and not stored.

   There is a backup Yubikey 5 that contains the same key material in
   the event of loss.  An encrypted backup is made of the private key
   material and is stored in an encrypted password manager that syncs to
   a private Bitwarden instance, which has further encrypted backups
   made.

   In the event of suspected theft of the main key, revocations
   certificates MUST be issued.

   In the event a key is being retired, replaced, or otherwise
   superseded while not being compromised, a revocation certificate will
   be generated that details the supersession as well as the fingerprint
   of the new key.  The new key MUST have equal or greater security
   measures in place.

7.  RFC Validation

   In the event of a takeover, misconfiguration of this policy document,
   or paranoia, it may be necessary to verify authorship of this RFC.
   This document is generated from sources residing at the Git
   repository git.sr.ht/~fd/rfc.ersei.net (https://git.sr.ht/~fd/
   rfc.ersei.net).  All commits made to that repository MUST be signed
   and SHOULD be verified.

8.  References

8.1.  Normative References





Saggi                         Informational                     [Page 4]

                        Draft: OpenPGP Key Policy          February 2024


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

Contributors

   Thanks to all of the contributors.

   Based on Slater's keysigning policy (https://igloo.to/
   keypolicy.txt.asc) .

   Contribute at git.sr.ht/~fd/rfc.ersei.net (https://git.sr.ht/~fd/
   rfc.ersei.net).

Author's Address

   Ersei Saggi (editor)
   Ersei.net




























Saggi                         Informational                     [Page 5]

A src/2.xml => src/2.xml +176 -0
@@ 0,0 1,176 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml-model href="rfc7991bis.rnc"?>
<!DOCTYPE rfc [
	<!ENTITY nbsp "&#160;">
	<!ENTITY zwsp "&#8203;">
	<!ENTITY nbhy "&#8209;">
	<!ENTITY wj "&#8288;">
]>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info"
	docName="draft-pgp-web-of-trust-key-policy" ipr="none" obsoletes="" updates=""
	submissionType="IETF" xml:lang="en" version="3">
	<front>
		<title abbrev="Draft: OpenPGP Key Policy">[DRAFT] OpenPGP Key Policy</title>
		<seriesInfo name="Ersei-Draft" value="pgp-web-of-trust-key-policy" />
		<author fullname="Ersei Saggi" initials="E" role="editor" surname="Saggi">
			<organization>Ersei.net</organization>
		</author>
		<date day="1" month="February" year="2024" />
		<area>General</area>
		<workgroup>Ersei Working Group</workgroup>
		<abstract>
			<t>This document describes the cryptographic methods and security precautions for Ersei
				Saggi's PGP keys, as well as their PGP signature policy. All keys signed by "05D3
				E019 2231 9A75 86B4 B8D5 023F F4C1 A9D6 BAFD" are subject to this policy, unless if
				this policy is updated as per <xref target="s_rfc_validation" format="title" />.</t>
		</abstract>
	</front>
	<middle>
		<section>
			<name>Introduction</name>
			<section>
				<name>Requirements Language</name>
				<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
					"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
					document are to be interpreted as described in IETF BCP 14 <xref
						target="RFC2119" />
					<xref
						target="RFC8174" /> when, and only when, they appear in all capitals, as
					shown here.</t>
			</section>
			<section>
				<name>Keys</name>
				<t>All keys may use this policy, unless a subsequent policy has been published at
					the policy URL.</t>
			</section>
		</section>
		<section anchor="s_certification_requirements">
			<name>Certification Requirements</name>
			<t>The name of a given individual (that is, the personal identifier which they prefer to
				be referred to by) should be based on what the individual desires to be called,
				insofar as the individual's desire is not in an attempt to defraud or confuse.</t>

			<t>Individual validations are not strictly performed on the basis of legal identity. In
				contrast, organizational/group validations will be performed on the basis of control
				over a given entity's existing presence. </t>

			<t>All validations confirm that the user at a given e-mail address maintains the private
				key which has been signed.</t>
			<table>
				<thead>
					<tr>
						<th>Type</th>
						<th>Definition</th>
					</tr>
				</thead>
				<tbody>
					<tr>
						<td>sig0: Undefined</td>
						<td>Signatures MUST NOT issued at this level under this
							policy.</td>
					</tr>
					<tr>
						<td>sig1: Basic</td>
						<td>A reasonable belief the key is held by the listed entity on the
							basis of interaction. The validation is entirely
							contextual; in person interaction is OPTIONAL.
						</td>
					</tr>
					<tr>
						<td>sig2: Medium</td>
						<td>Physically MUST meet the individual (or, in the instance of an
							organization/group, an empowered representative of the group) and MUST
							confirm their PGP fingerprint with them. Furthermore, one of the
							following MUST be verified:

							The identifier matches their legal name on at least one legal document
							issued by a recognized entity;

							The identifier matches the name that is used on a day-to-day basis;

							In the instance of organizations, they are capable of demonstrating
							control over organizational resources in a manner that only an empowered
							member would be able to perform.</td>
					</tr>
					<tr>
						<td>sig3: Strong</td>
						<td>In addition to the requirements for sig2 validation, one of the
							following MUST be true:

							The identifier MUST match their legal name on at least two legal
							documents, issued by at least two valid distinct legal entities;
							Personally know the individual by the listed identifier for at
							least a six month period, during which they MUST have used it as a
							primary active identifier;

							In the instance of organizations, the representative MUST have be
							publicly identifiable as a reasonably empowered organizational
							representative for a period of at least 1 month.</td>
					</tr>
				</tbody>
			</table>
		</section>
		<section>
			<name>Legal Entity Validation</name>
		</section>
		<section>
			<name>Name Change Policy</name>
			<t>In the event of a name change (and thus a UID change), the previously-valid
				signatures will no longer be valid. In this situation, the owners of the signed keys
				MAY request a new signature through a secure channel (if digital, the message MUST
				be signed with the previous key). The new signature is again subject to <xref
					target="s_certification_requirements" format="title" />.</t>
		</section>
		<section>
			<name>Key Signing Process</name>
		</section>
		<section>
			<name>Key Security</name>
			<t>All keys described in this document were generated on internet-connected
				consumer-grade hardware running exclusively free software (but not firmware). All
				keys are stored on a Yubikey 5 configured to use PIN authentication for all
				sessions, as well as a confirmation push for all operations. All pins are memorized
				and not stored.</t>
			<t>There is a backup Yubikey 5 that contains the same key material in the event of loss.
				An encrypted backup is made of the private key material and is stored in an
				encrypted password manager that syncs to a private Bitwarden instance, which has
				further encrypted backups made.</t>
			<t>In the event of suspected theft of the main key, revocations certificates MUST be
				issued.</t>
			<t>In the event a key is being retired, replaced, or otherwise superseded while not
				being compromised, a revocation certificate will be generated that details the
				supersession as well as the fingerprint of the new key. The new key MUST have equal
				or greater security measures in place.</t>
		</section>
		<section anchor="s_rfc_validation">
			<name>RFC Validation</name>
			<t>In the event of a takeover, misconfiguration of this policy document, or paranoia, it
				may be necessary to verify authorship of this RFC. This document is generated from
				sources residing at the Git repository <eref
					target="https://git.sr.ht/~fd/rfc.ersei.net">git.sr.ht/~fd/rfc.ersei.net</eref>.
				All commits made to that repository MUST be signed and SHOULD be verified.</t>
		</section>
	</middle>
	<back>
		<references>
			<name>References</name>
			<references>
				<name>Normative References</name>
				<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml" />
				<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml" />
				<!-- The recommended and simplest way to include a well known reference -->
			</references>
		</references>
		<section anchor="Contributors" numbered="false">
			<!-- [REPLACE/DELETE] a Contributors section is optional -->
			<name>Contributors</name>
			<t>Thanks to all of the contributors.</t>
			<t>Based on <eref target="https://igloo.to/keypolicy.txt.asc">Slater's keysigning policy</eref>
				.</t>
			<!-- [CHECK] it is optional to add a <contact> record for some or all contributors -->
			<t>Contribute at <eref target="https://git.sr.ht/~fd/rfc.ersei.net">
				git.sr.ht/~fd/rfc.ersei.net</eref>.</t>
		</section>
	</back>
</rfc>