public
/
docs
5
0
Fork 0
Code Issues 21 Pull Requests 2 Packages Projects Releases Wiki Activity

Document how to bootstrap keychain for an organization #23

New Issue
Open
opened 2024-12-19 19:54:03 +00:00 by scjudd · 1 comment
scjudd commented 2024-12-19 19:54:03 +00:00
Member
Copy Link

From the "Trusted Keys" section of the provisioner docs:

  1. Navigate the the official Keychain repository of your organization

Setting up this repository and, more importantly, creating and distributing these keys is something that could definitely be spelled out more. I'm certain there's some documentation around for getting PGP + YubiKeys set up, but we should make sure that this documentation doesn't assume that each individual user is equipped to provision a key on their own, unless that can be made very simple/mechanical.

If necessary, part of this could be a ceremony where technical users are to help less-technical users get their keys set up. There are at least two technical people who could provide some sort of oversight over each other.

From the ["Trusted Keys" section of the provisioner docs](https://git.distrust.co/public/docs/src/commit/578e46a1bc16bd7b6e560c006742675b5fa41c9d/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md#trusted-keys): > 3. Navigate the the official Keychain repository of your organization Setting up this repository and, more importantly, creating and distributing these keys is something that could definitely be spelled out more. I'm certain there's some documentation around for getting PGP + YubiKeys set up, but we should make sure that this documentation doesn't assume that each individual user is equipped to provision a key on their own, unless that can be made very simple/mechanical. If necessary, part of this could be a ceremony where technical users are to help less-technical users get their keys set up. There are at least two technical people who could provide some sort of oversight over each other.
scjudd commented 2024-12-19 20:29:54 +00:00
Author
Member
Copy Link

Maybe this can happen simultaneously to a Root Entropy derivation ceremony? That documentation is also TODO in the provisioner doc currently; but if that involves operators being together with an airgap machine ready, maybe it makes sense to use that opportunity to build a keychain and distribute YubiKeys.

Maybe this can happen simultaneously to a Root Entropy derivation ceremony? That documentation is also `TODO` in the provisioner doc currently; but if that involves operators being together with an airgap machine ready, maybe it makes sense to use that opportunity to build a keychain and distribute YubiKeys.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
feat/tamper-proofing-chain-of-custody
coding-standards
feat/quorum-kms
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/docs#23
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?