# Edition signing key policy | | | |---|---| | **Status** | Adopted | | **Version** | 1.0 | | **Date** | 2026-05-26 | | **Applies to** | All `.lavs` files signed by Project Lavos LLC | | **License of this document** | CC BY 4.0 | | **Editor** | Matthew Scott · Project Lavos LLC | | **Companion document** | `spec/EDITIONS.md` | | **Canonical published location** | `https://lavos-pubkey.projectlavos.com/rotation-policy.md` | This document defines how the Project Lavos LLC edition-signing key is generated, stored, rotated, and verified. It is binding policy for the signing identity recorded in every signed `.lavs` file (Edition properties 709 `signatureAlgorithm` and 710 `signaturePublicKey`). The companion document `spec/EDITIONS.md` covers what an edition is; this document covers how it is signed. --- ## 1. Signing posture **Algorithm:** ed25519 (per LAVS-001 §8.2 `signatureAlgorithm = "ed25519"`). **Storage:** Hardware-resident on a YubiKey 5-series token (or equivalent hardware token supporting ed25519 via OpenPGP or PIV). The private key never leaves the token. **Two-key posture from day one:** A primary YubiKey and a backup YubiKey are provisioned at the same generation event. Both public keys are cross-signed at generation so verifiers can establish that they share an identity. The primary key signs all routine editions; the backup is stored off-premises and used only if the primary is compromised or fails. **Public key publication:** The current active signing public key is published at `https://lavos-pubkey.projectlavos.com/pubkey.pem`. The historical and revoked keys are published at `https://lavos-pubkey.projectlavos.com/keys/`. **Touch-to-sign:** Every signing operation requires physical touch on the YubiKey. This is the anti-malware property: a compromised laptop cannot silently sign editions without physical presence at the moment of signing. ## 2. Compromise rotation If a YubiKey is lost, stolen, or believed compromised: 1. The compromised key is added to the revocation list at `https://lavos-pubkey.projectlavos.com/revoked.txt` with the date of revocation. 2. Signing immediately moves to the backup YubiKey. A signed rotation notice naming the revoked key is published at `https://lavos-pubkey.projectlavos.com/rotations/`. 3. A new backup YubiKey is provisioned and cross-signed within 30 days of compromise to restore the two-key posture. 4. Editions signed before the revocation date remain "provable as signed at time of signing" but are flagged "signed under a revoked key" by compliant verifiers. Buyers may choose how to treat revoked-key editions. 5. Editions signed after the announced compromise date but before revocation propagated are considered suspect and individually audited. ## 3. Routine rotation **No scheduled time-based rotation.** YubiKey hardware is rated for decades of physical life and millions of signing operations; rotation is event-driven (compromise or hardware failure), not calendar-driven. This is intentional. Calendar rotation adds verifier complexity (multiple historical public keys to fetch, edition-to-key mapping to maintain) without proportional security benefit for a one-person LLC's signing operation. The two-YubiKey posture absorbs hardware-failure risk; the touch-to-sign property absorbs malware risk; the revocation procedure absorbs compromise risk. ## 4. Verifier obligations A LAVS-conformant verifier (a viewer, a marketplace badge generator, a gallery operator) **SHOULD**: - Fetch the revocation list at `https://lavos-pubkey.projectlavos.com/revoked.txt` before validating any edition signature. - Cache the revocation list with a TTL of at most 24 hours. - Validate signatures against the public key at `https://lavos-pubkey.projectlavos.com/pubkey.pem`. - Display a visible badge state when an edition is signed under a revoked key (e.g., "signed under revoked key; signing remains provable as of "). A verifier that cannot reach the pubkey URL **MAY** still display the edition with a warning, indicating that signature verification was not possible. ## 5. Identity continuity The named author **"Matthew Scott · Project Lavos LLC"** persists across all key rotations. The signing key changes; the named author does not. Edition lineage (slug, edition number, edition total) is preserved across rotations — a buyer of `mobius` Edition I signed under the original primary key holds an edition that remains canonically `mobius` Edition I forever, even if subsequent `mobius` numbered copies are signed under a rotated key. ## 6. First-signing prerequisites The first edition under this policy **MUST NOT** be signed until all of the following are in place: - [ ] Primary YubiKey provisioned with the ed25519 signing keypair. - [ ] Backup YubiKey provisioned with its own ed25519 signing keypair. - [ ] Both public keys cross-signed and published at the canonical pubkey URL. - [ ] The pubkey URL (`https://lavos-pubkey.projectlavos.com/pubkey.pem`) returns the primary public key over HTTPS with a valid certificate. - [ ] This policy document is published at `https://lavos-pubkey.projectlavos.com/rotation-policy.md`. - [ ] Empty revocation list (`revoked.txt`) is published at the canonical URL so verifiers have a target to fetch. - [ ] The signing infrastructure in this repository (the `scripts/sign.ts` builder) is implemented and tested against a throwaway keypair. Until all six are satisfied, every `.lavs` file in `examples/` ships unsigned (no `signatureAlgorithm` field). Unsigned editions are release candidates per `EDITIONS.md` §6. --- *This document is binding policy for the signing identity of Project Lavos LLC. It is published alongside the LAVS-001 specification for any party who needs to verify or interpret signatures on `.lavs` files emitted under this identity.*