To support critical infrastructure needs with an auditable and authoritative registry of digital identify proofs in accordance with industry guidelines and recommendations.
The below tables acknowledge important objectives in this space, while also clarifying which are considered to be in-scope vs. out-of-scope based on a number of factors, including but not limited to time, effort, resource availability, etc.
| In-Scope Objectives |
|---|
| To resolve a claimed identity (e.g., the name on a GPG key) to a single, unique identity (e.g., person, CI/CD pipeline, organization, etc.) within the context of the population of users the Credential Service Provider (CSP) serves (e.g., infrastructure management, supply chain security engineers, certifying bodies, business-to-business identity managers, etc.). |
| To validate that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated). |
| To validate that the claimed identity exists in the real world. |
| To verify that the claimed identity is associated with either: a) the real person supplying the identity evidence, or b) the real person on behalf of which the identity evidence is being provided. |
| Out-of-Scope Objectives | Workaround |
|---|---|
| Owner verification of the email address listed with the claimed identity | A clearsigned message received from the listed email address using the corresponding private key (see also /REFS.md#gpg-signature) |
The following resources are considered applicable and relevant to the orientation and goals of this project:
- Familiarize yourself with the resources provided in the Standards section above
- Refer to the identity registry for existing evidence submissions (see also schema)
- Review all contributing policies in effect on this repository
- Create a new pull request to submit evidence for a new or existing digital identity
- Building your web of trust, The GNU Privacy Guard
- Using trust to validate keys, The GNU Privacy Guard
- Validating authenticity of a key, The Apache Software Foundation
- Validating other keys on your public keyring, The GNU Privacy Guard
- Exchanging keys, The GNU Privacy Guard
- Integrity check, The GNU Privacy Guard
- Signature key, The GNU Privacy Guard
The Code Owners of this project acknowledges and commemorates the extraordinary contributions of the following individuals and organizations dedicated to advancing the critical yet often underappreciated field of digital security and identity; whose work has significantly shaped and inspired this effort:
- Werner Koch – for his dedication to developing and maintaining GnuPG, a cornerstone tool for secure communication and email encryption.
- Elmar Hoffman – for his advocacy in cryptographic policy and practices.
- Ian Young – for his comprehensive documentation of PGP policy and its applications in identity verification.
- Simon Josefsson – for his innovation in secure key management and the use of hardware security devices.
- Tails – for their commitment to providing users with robust, verifiable tools for privacy and security.
Wir nehmen Abschied von einem sicher geglaubten Freund, dem Fernmeldegeheimnis (Artikel 10 Grundgesetz), 18. Dezember 2015
This project is licensed under a custom MIT-NC-ND License.