Riseup has a collectively managed OpenPGP key. This key is used to represent Riseup as an organization, and is not linked to any specific individual who is part of the collective. The signatures on that key are not indicators of who makes up that role.

We need to have a clear policy delineated, that we can refer to in the comment field of the key, and then we need to solicit signatures of that role key from people we exchange keys with. This is important to do to not only build up trust paths to Riseup’s key, but also because at the moment the role key is only signed by two people, who are both Riseup collective members. Having this information exposed defeats the purpose of a role key.

The following is a draft help document that we would publish and then refer to in our key comment field, once we are comfortable with it. It should be signed with the role key before it is published.

Date of last change: xxx

What is this key?

Normally people consider the web of trust (WoT) to be a mathematical association of a physical person’s identity with a key, as the WoT is used primarily for an identity authentication mechanism to provide reasonable assurance that the person in control of that key is actually the person you think you are communicating with. In a highly mediated communication realm, having such assurances are often critical. However, it is also possible to have a key that doesn’t represent an individual, but rather an organization. Riseup has such a collectively managed key, and this document describes what that key is used for.

Should I sign this key?

Signing Riseup’s collectively managed OpenPGP key says nothing about how secure Riseup is, either its technical infrastructure, or organizationally. The amount of “trust” that you put in Riseup, should also not be a factor. It only says that you have made some level of effort to verify that the individual that asked you to sign the public key, appeared to you to be in control of that key.

The value of your key, or the signatures you make are not diminished if for some reason Riseup has been compromised. Your signature on this key, indeed any other, does not indicate infinite endorsement of identity and validity. It simply states that you exercised due diligence in verifying and felt sufficiently satisfied by that to sign the key.

How do you exercise due diligence? You should be checking fingerprints, and making reasonable attempts at verification. Perhaps you could arrange a shared secret phrase with the Riseup collective member you met, that would have to be returned to you in an email before you will sign the key and then send your signature on the key as an email, encrypted to the key itself to collective@riseup.net.

When you assess the relative validity of such a key, you should consider that this keypair may be shared among a group of people and that there may be individuals that make validity assertions about this keypair who you, the signer, has never met.

Riseup’s Key Policy

The Riseup Collective will use this collectively managed key to cryptographically authenticate content that will be distributed over the network. This content is content that we consider important for our users to be able to verify using the OpenPGP Web of Trust.

UPDATES TO DOCUMENTATION

Riseup will update important documentation, as appropriate, and cryptographically sign that content to provide verification. For example, the fingerprints of our SSL keys will be represented in our help documentation signed by our collectively managed key.

USE IN COMMUNICATION

Riseup will accept OpenPGP-signed communications, validate that the chain of trust is no longer than 3 steps between the signing key and Riseup’s key, or any member of the collective’s keys, and act appropriately based upon the validity of the signature.

Riseup will OpenPGP-sign all outgoing collective communications with the collective’s key (collective members may optionally also sign mail with their own individual keys).

USE IN SOFTWARE VALIDATION

Riseup will use the collective’s key to provide cryptographic signatures of software that we distribute, so that there will be available a reasonable verification of authenticity. Riseup will use modern cryptographic hashes to compute message digests of the distributed software and will then publish those hashes, signed by the key.

ACCESS POLICY

The Riseup Collective key, and its associated secret key material, will only be used by Riseup Collective members, and nobody else. As the collective changes, additional people will have capability to access this private key and use it for the uses outlined above. As people leave the collective, the access to the key will be removed. If that access cannot be reasonably removed, a revocation signature will be made on the key and sent to the keyserver network.

VERIFICATION EDUCATION

Riseup commits to providing up-to-date and clear documentation that demonstrates how to verify these cryptographic signatures and why.

UPDATES TO THIS POLICY

In the future, we may need to update this policy with more information, additional use cases, etc. If the policy is updated, we will cryptographically sign the updated policy, provide a clear indication of when it was changed last, and what changes were made. We will also do our best to communicate to you that this policy has changed, so you can be aware of it.

How to verify this document

Some details should go here about how people can go about verifying the cryptographic signature of this document.