To support critical infrastructure needs with an auditable and authoritative registry of digital identify proofs in accordance with industry guidelines and recommendations.
The below tables acknowledge important objectives in this space, while also clarifying which are considered to be in-scope vs. out-of-scope based on a number of factors, including but not limited to time, effort, resource availability, etc.
| In-Scope Objectives |
|---|
| To resolve a claimed identity (e.g., the name on a GPG key) to a single, unique identity (e.g., person, CI/CD pipeline, organization, etc.) within the context of the population of users the Credential Service Provider (CSP) serves (e.g., infrastructure management, supply chain security engineers, certifying bodies, business-to-business identity managers, etc.). |
| To validate that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated). |
| To validate that the claimed identity exists in the real world. |
| To verify that the claimed identity is associated with either: a) the real person supplying the identity evidence, or b) the real person on behalf of which the identity evidence is being provided. |
| Out-of-Scope Objectives | Workaround |
|---|---|
| Owner verification of the email address listed with the claimed identity | A clearsigned message received from the listed email address using the corresponding private key (see also /REFS.md#gpg-signature) |
The following resources are considered applicable and relevant to the orientation and goals of this project:
Note
You can also now test drive the proof-of-concept ID Lookup tool built from this repository at https://sig3.org.uk/.
To run your own tests, first clone the repository:
~$ git clone git@github.com:mattborja/sig3.gitNext, navigate into the newly cloned repository directory and run npm install to install the related dependencies:
~/sig3$ cd sig3
~/sig3$ npm installFinally, run npm run build to build the dist/ folder from registry entries that have successfully passed all validation checks and see their respective audit summaries in the standard output†.
~/sig3$ npm run build
> sig3@1.0.0 build
> node index.js
Skipping file on parse failure: registry/<FILENAME>.json (SyntaxError: Expected double-quoted property name in JSON at position 1474 (line 16 column 5))
F30FF4FC936584574EE3251833688C2EDC08CD38 {
src: 'dist/F30FF4FC936584574EE3251833688C2EDC08CD38.json',
schema: true,
keyVersion: false,
filename: true
}
99BB608E30380C451952D6BBA1C7E813F160A407 {
src: 'dist/99BB608E30380C451952D6BBA1C7E813F160A407.json',
schema: true,
keyVersion: true,
filename: true
}
...†Newlines and spacing added for readability.
- Familiarize yourself with the resources provided in the Standards section above
- Refer to the identity registry for existing evidence submissions (see also schema)
- Review all contributing policies in effect on this repository
- Create a new pull request to submit evidence for a new or existing digital identity
- Building your web of trust, The GNU Privacy Guard
- Using trust to validate keys, The GNU Privacy Guard
- Validating authenticity of a key, The Apache Software Foundation
- Validating other keys on your public keyring, The GNU Privacy Guard
- Exchanging keys, The GNU Privacy Guard
- Integrity check, The GNU Privacy Guard
- Signature key, The GNU Privacy Guard
The Code Owners of this project recognize the substantial research, development, and generous contributions of individuals at home and abroad, which have helped inspire and shape digital security as we know it today—an endeavor that this project assiduously seeks to further.
As such, though based in the U.S., this project adopts the non-profit .org.uk domain as a tribute to the UK (and greater EU) commitment to privacy and data protection, reflected in their robust privacy laws (e.g., GDPR), digital rights frameworks, and leadership in data security. The open and non-profit nature of this project is also symbolic of the value of transparency in this space.
The following named individuals and entities are further recognized for their significant contributions and influence on the development and direction of this project:
- Werner Koch — for his dedication to developing and maintaining GnuPG, a cornerstone tool for secure communication and email encryption.
- Christof Paar — German professor and renowned researcher in hardware security and cryptography. Known for his academic contributions in applied cryptography and hardware implementations.
- Elmar Hoffman — for his advocacy in cryptographic policy and practices.
- Ian Young — for his comprehensive documentation of PGP policy and its applications in identity verification.
- Simon Josefsson – for his innovation in secure key management and the use of hardware security devices.
- Tails — for their commitment to providing users with robust, verifiable tools for privacy and security.
Wir nehmen Abschied von einem sicher geglaubten Freund, dem Fernmeldegeheimnis (Artikel 10 Grundgesetz), 18. Dezember 2015
"Fair enough, but what about the sig3. part in the domain?"
In addition to seeking alignment with IAL3 with NIST SP 800-63A, it means we did very careful checking according to GnuPG :)
This project is licensed under a custom MIT-NC-ND License.
The following methods are currently supported for receiving donations:
- Email money transfer (e.g., PayPal, Zelle, etc.) to the maintainer's email address shown in the UID output of:
gpg --list-keys A1C7E813F160A407 - Bitcoin address (static):
bc1q69f987tgm59haz9n2nycfhka4z3czy30vm8nhz
