Resources‎ > ‎

GSWoT Practice Guidelines

Purpose

This document describes the procedures by which GSIntroducers will conduct the business of authentication and certification of Recognized and Non-Recognized key owners; and to which they solemnly agree to be bound. This document also describes the function of the organization and the expectations placed upon the GSIntroducers.

1. Gossamer Spider Web of Trust (GSWoT) - The Organization

The Gossamer Spider Web of Trust is an innovative and progressive organization of PGP enthusiasts that strives to bring confidence to the OpenPGP community in regards to the quality of certification signatures that builds the web of trust. In addition to directly certifying keys through its introducers, the GSWoT bridges the certifications of compatible web of trust groups and Certification Authorities into the PGP web of trust. The GSWoT extends a web of confidence that starts with its Web of Introducers (individually called, "GSIntroducers").

1.1 Gossamer Spider Web of Trust Top-Level Key

The GSWoT top-level key is used exclusively to certify the signing key of Recognized Authorities, Affiliates and individual GSIntroducers. The Gossamer Spider Web of Trust Top-Level Key should be identified solely by its Fingerprint: 59F5 2214 8745 E548 7F41 4E1C 6BCB 9B4B 8875 FB7F

The old Top-Level Key should still be considered valid and solely identified by its Fingerprint: D08C B376 DE5F 9609 AAEB 6763 7A92 1BC2 3C4A 1809

No new signatures will be issued by the old key after 2011-04-10.

To install the Gossamer Spider Web of Trust vertically, the Gossamer Spider Web of Trust Top-Level Key must be imported into a compatible OpenPGP keyring and given explicit trust as an Introducer to a depth of no less than two (2).

1.2 GSIntroducers - The Web of Introducers

The GSWoT Web of Introducers is established through reciprocal trust signing between GSIntroducers. Each GSIntroducer certifies the other as a Trusted Introducer to a minimum certification depth of one (1), also referred to as a Level 01 Introducer. This signing practice creates a Web of Trust between all GSIntroducers, and automatically includes all the keys in the wild that trust any one or more GSIntroducers as an Introducer either explicitly or through Hierarchal Trust established with the Gossamer Spider Web of Trust Top-Level Key to form a non-isolated set of Web of Trust relationships. The Web of Introducers is composed of key owners whose identity has been authenticated by process directly within the organization or by a Recognized Authority (see Section 3). Each GSIntroducer within the Web of Introducers has agreed to perform certifications of subscriber keys according to the guidelines outlined in this document.

1.2.1 Qualification of GSIntroducers

GSIntroducers supporting the web of trust products specified in Section 3, Notaries Public, and officers of organizations, commissions and other bodies who are responsible for authentication of its members can make application to become a GSIntroducer. The latter may qualify to apply as Registrar under the Affiliate provision in Section 2.

1.2.2 Identifying a GSIntroducer

A GSIntroducer is recognized by the possession and access to a private key corresponding to a public key containing a userid that follows the naming convention as prescribed under Section 1.2.3 and is certified by the Gossamer Spider Web of Trust Top-Level Key.

1.2.3 GSIntroducer ID

The GSIntroducer ID (GSID) is constructed to uniquely identify a GSIntroducer, and is composed of the member's full name, and an email address in the gswot.org domain. A comment may optionally be included. Only a GSIntroducer ID appearing as a userid following the above convention and certified with trust by the Gossamer Spider Web of Trust Top-Level Key positively identifies a GSIntroducer. Note that previous conventions should not be treated as invalid, but should be scrutinized only for the existence of a valid certification signature with trust issued from the Gossamer Spider Web of Trust Top-Level Key.

Note a GSID with a certification only signature issued from the Gossamer Spider Web of Trust indicates the key was enrolled by a GSIntroducer until the time the signature was issued, and is now removed from the GSWoT trust path. The key owner may still be a GSIntroducer and may have enrolled a replacement key, or he/she may no longer be a member.

The email part of the GSIntroducer ID (GSID) is an internal artifact and may not indicate a valid email address to relying parties. GSIntroducers may opt to enable their gswot.org mail service.

1.2.4 Roll Call

There will be periodic roll calls which will be announced on the announce mail list (see 1.9). Failure to reply to reply to a roll call within 50 days leaves the organization no choice but to assume the GSIntroducer's private key may have been compromised and will result in all GSWoT root key signatures being revoked from the GSIntroducer's key(s) and that GSIntroducer's membership will be terminated. The GSIntroducer is free to re-apply for membership should they wish to be a member of the organization again.

1.3 Becoming a GSIntroducer

A person, organization or commercial entity can make application to have a signing key certified and entered into the Web of Introducers. Organizations and commercial entities are referred to Section 2 - Affiliates, Partners. An individual who performs assurances for a web of trust digital signature product identified in Section 3.1; or is a Notary Public in Canada or the United States; or has earned a certification from the CACert OpenPGP root key whose fingerprint is A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58 and one (1) GSIntroducer certification; or has earned three (3) GSIntroducer certifications can make application to the Web of Introducers.

1.3.1 Making Application

To make application to the Web of Introducers, the applicant will affirm to have read this document, and submitted an application such as is available from the official GSWoT home <http://www.gswot.org>.

1.3.2 Binding the Application

Upon successful application (see Section 1.5) the applicant will be requested to issue a Level 02 Trust Signature to the Gossamer Spider Web of Trust Top-Level Key. The signature will be reciprocated with a Level 01 Trust Signature issued by the Gossamer Spider Web of Trust Top-Level Key.

1.4 Introduction of New GSIntroducer

Upon successful completion of the application process, a new GSIntroducer is formally introduced into the Web of Introducers. The method of delivery of the introduction may change from time to time, however the authentication of material and keys is to be considered critical and must comply with Sections 1.5.

1.5 Registrar

The Registrar will receive an application and forward it to the GSIntroducer mailing list after verifying that the applicant fits the requirements of Section 1.3. A new GSIntroducer will be installed only after 5 days with no objections being voiced on-list. The absence of objections to the application will be taken to mean that members agree with the Registrar's conclusion that the application meets the requirements of Section 1.3.

1.5.1 The Registration Announcement

The Registration Announcement serves to introduce a new GSIntroducer to the Web of Introducers. The document will include information describing the new GSIntroducer, any special notes, and the public key of the new GSIntroducer certified by the Gossamer Spider Web of Trust Top-Level Key. An additional copy of the public key will contain the certifications of the GSIntroducers responsible for reviewing the application.

1.6 Installation of New GSIntroducer

Upon acceptance into the Web of Introducers, a new GSIntroducer will accept and maintain a subscription to the announcement mail list.

The new GSIntroducer may initiate key exchanges with the GSIntroducers listed in the directory that have not already exchanged keys following the application review process.

Mutual exchange of trust signatures among all GSIntroducers is mandatory and will be conducted as follows:

1. Sign the GSIntroducer's key with a trust signature to a depth of one (1) (Level 01 Introducer). Sign the userid conforming to the conditions in any of 1a through 1d, providing it is certified by the Gossamer Spider Web of Trust Top-Level Key. The userid matching the GSIntroducer's application form must be signed.

a. GSID b. Proper name, and enrolled email address c. Proper name only (free-form userid) d. Proper name, and other email address

  • See Sections 4.6 and 4.7.1 of Practice Guidelines

Sign only userid's that you have validated yourself and/or userid's that have been certified by the Gossamer Spider Web of Trust Top-Level Key. Typically, this is all userid's contained in the public key included in the Registration Announcement.

2. Submit the signed key to the user directly via electronic mail.

3. You should later receive your signed key directly via return electronic mail.

4. Update your public key to a PGPnet Keyserver.

http://pgp.surfnet.nl (also ldap on port 11370) http://pgp.mit.edu

1.7 Public Key Resources

All GSIntroducers should update their public key to a PGPnet key server.

http://wwwkeys.pgp.net

GSIntroducers are recommended to maintain GSIntroducer keys on their local keyring according to the cautions described in Section 4.2 ("Technical Limitations").

1.7.1 Public Key "Etiquette"

It is commonly perceived to be unacceptable to publish another person's public key certificate to a publicly accessible key server without the express consent of the public key owner. GSIntroducers are urged to respect this rule and verify their application preferences prevent the automatic submission of public keys to a key server (ie, after applying a certification signature).

1.7.2 Revocation

Revocation of a GSIntroducer's key must be submitted to the announcement mail list (see Section 1.8) and a PGPnet public key server (see Section 1.7). Submission to additional resources is encouraged.

Revocation of a GSIntroducer's signature on another GSIntroducer's key may only occur under the direction of the Registrar responsible for introducing the key that is to be revoked, or under the direction of a committee established to treat the individual case or disciplinary issues in general. The revocation of reciprocal signatures is thus reserved for cases of a GSIntroducer being ejected from the organization for breach of trust or other disobedience to the guidelines as established in this document.

1.7.3 Resigned Keys

GSIntroducers resigned from the Gossamer Spider Web of Trust will be disconnected from the organizational trust chain only. Trust signatures from the Gossamer Spider Web of Trust Top-Level Key will be revoked.

To preserve the identity assurance earned through past participation, the Gossamer Spider Web of Trust Top-Level Key will issue a certification signature to any qualified userid.

1.8 Confidentiality

The GSWoT Document Sharing Key (0xF10CACE18A241470, aka GSWoT Correspondance Key) shall be used to protect personal information published on any remotely accessible media and including the transmission of email. The purpose of the GSWoT Document Sharing Key is to reduce the ciphertext size by limiting encryption to one recipient in addition to making ciphertext available to future GSIntroducers.

GSIntroducers will generally have no cause to encrypt using the GSWoT Document Sharing Key save and except for the protection of personal information published on remote servers, "away" notices that may be published to the forum, or other personally sensitive information that should be protected.

GSIntroducers are urged to neither generate nor trust digital signatures associated with the GSWoT Document Sharing Key.

The private key of the GSWoT Document Sharing Key must be kept private and secure. The use of a regularly changing strong passphrase is encouraged. For ease of use, the private key may be stored unencrypted providing it resides on encrypted media protected by a strong passphrase. Hint: You may set the GSWoT Document Sharing Key passphrase to the same as your primary keypair to avoid interfering with ease-of-use through passphrase caching.

The public key certificate should not be submitted to any public key server (ref. Section 1.7.1).

1.9 Presence

The Official Home of the Gossamer Spider Web of Trust is <http://www.gswot.org>.

There are four (4) mail lists representing the Gossamer Spider Web of Trust:

GSWoT Home - home-subscribe@lists.gswot.org

This public forum is for open discussion about the GSWoT and the web of trust model in general. GSIntroducers are encouraged to subscribe to this forum to assist in responding to questions from the public. Posts should be clear-signed.

The mailing list is mirrored on Gmane Mail to News <news://news.gmane.org/gmane.comp.security.pgp.gswot> <http://news.gmane.org/thread.php?group=gmane.comp.security.pgp.gswot>

GSIntroducer - introducer-subscribe@lists.gswot.org

This web presence is restricted to GSIntroducers and includes a forum for discussing all business pertaining to the evolution of the project. GSIntroducers are encouraged to subscribe to this forum to help each other acclimate to our procedures as well as to assist in the evolution of those procedures and other policy items. Posts should be clear-signed.

GSIntroducer-announce - announce-subscribe@lists.gswot.org This web presence is restricted to GSIntroducers. The mailing list is used to publish general announcements and most importantly, Registration Announcements.

Subscription to this mailing list is mandatory. GSIntroducers must maintain a subscription with active delivery enabled. Posts should be clear-signed.

2. Affiliates, Partners

Affiliates and Partners are persons, organizations and commercial entities whose application or invitation to the Web of Introducers has been mutually accepted. These can include compatible web of trust initiatives, interest groups, professional associations, community organizations and employers.

An Affiliate or Partner will register a signing key to perform Registrar duties within their organization. The Affiliated Registrar's signing key is then certified by the Gossamer Spider Web of Trust Top-Level Key as a Level 02 Introducer.

3. Recognized Authorities

The geographic dispersal of GSIntroducers severely limits the ability of the Web of Introducers to meet with subscribers to authenticate their identity. For this reason, and to authenticate the identity of applicants to the Web of Introducers, the reliance upon Certification Authorities (CA) and other strict authentication processes has provided the means to satisfy our requirement for an extensive certification of identity.

3.1 Dynamic List of Authorities

The following list of Recognized Authorities is not static. Applicants and subscribers whose identity has been authenticated to earn a certificate product compatible with this document can request the Issuer be considered for inclusion under this Section to improve their qualification. (see also Section 1.2 p2).

Certificate products from the following Authorities are acceptable proofs of identity:

CAcert ECCP <www.cacert.org> Trusted certificates (50 or more trust points)

CAcert High Trust OpenPGP <www.cacert.org> Signing KeyID: 0xD2BB0D0165D0FD58

  • Only signatures issued after June 1, 2007 are accepted

Juricert <www.juricert.com> Authenticated Adobe certificates

Juricert <www.juricert.com> Authenticated IDscript ( www.idscript.com) TrustMint

4. Certification by GSIntroducers (Key Signing)

The Gossamer Spider Web of Trust aims to introduce only positively certified keys which have been scrutinized to belong to authentic individuals, organizations or other entities.

4.1 Third Party Reliance

The Gossamer Spider Web of Introducers strives to maintain strong, evidence-based certifications. Certification quality is to be regarded as "low assurance". Absolutely no warranty of any kind is implied by the certifications applied by the Gossamer Spider Web of Trust Top-Level Key or by the certifications of the Web of Introducers. Relying parties are urged to require additional certification for commerce, legal, and mission critical applications.

4.2 Technical Limitations

The PGP (Pretty Good Privacy) application by PGP Corporation <www.pgp.com> does not support variable certification signature types. PGP generates only generic (type 0x10) certification signatures. GnuPG (GNU Privacy Guard) by GNU <www.gnupg.org> does support variable certification signature types.

4.3 Signature Discrimination

All generic certification signatures applied by GSIntroducers shall be determined to be a casual certification of a userid and public key (type 0x12). GSIntroducers who use PGP exclusively will apply a certification signature in the general manner with a generic certification signature (type 0x10). GSIntroducers who have access to GnuPG must apply a positive certification signature (type 0x13) with the exception of remote certifications (see Section 4.5).

4.4 Traditional Key Signing

A GSIntroducer will meet with a key owner in person to witness appropriate and sufficient documentation that is commonly held to provide evidence of identity (EOI) in the key owner's homeland. The EOI must include at least one form of government-issued photo identification.

4.5 Remote Certification

A GSIntroducer may certify the public key of an owner who successfully authenticates with a digital signing product issued or otherwise certified by a Recognized Authority. The GSIntroducer will issue a casual (type 0x12) certification signature to any key that is being remotely certified. GSIntroducers who use PGP exclusively will apply a certification signature in the general manner with a generic certification signature (type 0x10).

4.5.1 Limitations of Remote Certification

A GSIntroducer must refuse to remotely certify a subscriber's key that contains two (2) GSIntroducer signatures that were applied under the Remote Certification allowance.

This rule does not prevent a GSIntroducer from certifying the same key via Traditional Key Signing.

This rule does not apply to reciprocal signing within the Web of Introducers.

4.6 Multiple UserID's

The OpenPGP certificate format permits the generation of multiple userid's associated with a single primary key. GSIntroducers must certify only userid's that have been validated. The lack of a GSIntroducer's certification of a userid should not be interpreted to invalidate the userid. For example, a Photo ID could not possibly be validated under the Remote Certification allowance, but this should not indicate that the Photo ID does not bear a true likeness of the public key owner. Likewise, untested email addresses will not be certified but should not be interpreted to be invalid.

4.7 Trust Signatures

GSIntroducers are free to extend their personal web of trust using their GSWoT signing key by applying trust signatures to the keys they trust as introducers (entire Section 4 applies).

4.7.1 Trust Signing of GSIntroducers

GSIntroducers must apply an appropriate certification signature (type 0x12 or type 0x13) including Level 01 trust to the keys of other GSIntroducers.

The new GSIntroducer is encouraged to seek signature exchanges with GSIntroducers.

5. Policy Sharing

Trust policies can be shared between OpenPGP users through trust signatures. GnuPG users can also manage trust policies exclusively through explicit signing of keys on the local keyring. Trust policies can be shared between GnuPG users using the classic trust model through the import of ownertrust export files.

Definitions

Authentication see also; Message Authentication Sender Authentication
The verification of the identity of a person or organization.
Certificate
A document containing a cryptographic key, personally identifying information, and other information certified by the owner (self-signed certificate) or a signing authority.
Certification Authority (CA) also; Certificate Authority
An organization that certifies certificate material; may also perform authentication services.
Certificate Revocation List
A document issued by a Certification Authority that lists subscriber keys that have been revoked.
Day
A period of twenty-four (24) hours beginning at midnight, UTC.
Document
A record that conveys information.
Evidence of Identity (EOI)
A document that substantiates a claim to identity.
Keypair
A cryptographic public key and corresponding private key.
Message Authentication
A method of proving the source of a message is authentic; unchanged.
OpenPGP also; PGP also; PGP Message Format also; Inline PGP
A proposed IETF standard for the exchange of cryptographic messages and certificate material.
PGP/MIME
A MIME implementation of the OpenPGP message format.
Public Key also; Certificate
The shared key belonging to a keypair; used for encryption of documents to or decryption of signatures generated by the corresponding private key.
Private Key
The key that is required for generating digital signatures and decryption of documents encrypted to the corresponding public key.
Recognized [Entity]
A person, organization or commercial entity whose signing key and certification practices and/or authentication standards is observed to meet or exceed those set forth in this document.
Registrar
An admitting officer. A person responsible for maintaining records and admittance.
S/MIME
An IETF standard for secure email.
Sender Authentication
A method of proving the authorship of a message.
Subscriber
A person, organization or commercial entity who has requested certification of a public key by a signing authority.
X.509
An IETF standard format for the storage of cryptographic key material and Certificate Revocation Lists.
Comments