Create encryption keys amongst security@zfnd.org

[dconnolly]

And publish the public key in our responsible_disclosure.md statement. Ideally created on yubikeys, with backups. Elucidate the creation, rotation, and EOL'ing keys.

For now we have an old draft at: https://docs.google.com/document/d/1ORGAzAYq5vc86SxBlugYAE5daLbnTRCIZSELCvFKZaY

After discussion/review we should update the ticket text here

Quick consensus on tooling:

• PGP for breadth
• Optionally age for more experimental/modern researchers, but not primary

[teor2345]

Putting this in the last sprint, so we remember to do it before mainnet activation.

[mpguerra]

Do we still want to/need to do this?

[teor2345]

We're getting closer to the stable release candidate series, so this is a medium priority now.

[teor2345]

Here are some reasons to make our first secure contact method a PGP key:

If we want to get the same disclosures as zcashd:
https://github.com/zcash/zcash/blob/master/SECURITY.md#receiving-disclosures

If we want to conform to accepted responsible disclosure standards within the cryptocurrency community:
https://github.com/RD-Crypto-Spec/Responsible-Disclosure/tree/d47a5a3dafa5942c8849a93441745fdd186731e6#giving-details

We can add additional secure contact methods, but in my opinion they should be separate tickets. That allows us to give them different schedules and priorities.

[dconnolly]

Some resources:

• https://developers.yubico.com/PGP/PGP_Walk-Through.html
• PGP keys can be stored in 1Password as attachments or secure notes
• https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
• https://medium.com/cloud-security/storing-a-gpg-pgp-key-on-a-yubikey-905a8fe8dad7

[mpguerra]

I've started coordinating on this

[mpguerra]

removing from sprint, I still have it on my to do list to do asap