Mikaela/pgp-alt-wot
1
0
Fork 0
mirror of https://gitea.blesmrt.net/mikaela/pgp-alt-wot.git synced 2024-11-14 20:49:23 +01:00
Code Issues Projects Releases Wiki Activity
4f2e123e58
pgp-alt-wot/README.md

44 lines
2.1 KiB
Markdown
Raw Blame History

# pgp-alt-wot
PGP keys signed by me so I don't have to validate the same keys
again-and-again and can just trust my own paper verified fingerprint in the
subsequent validations.
WoT? [Web Of Trust](https://en.wikipedia.org/wiki/Web_of_trust)
## Why?
For example, I use [Tor Browser](https://torproject.org/) everywhere and
download it directly from their website. They have signed it using GPG (a
OpenPGP implementation) and to ensure it hasn't been tampered with, I have
to check that signature and I have two options:
* I can always [verify the signature](https://support.torproject.org/tbb/how-to-verify-signature/),
but that takes time and I would need to verify it from both [support.torproject.org](https://support.torproject.org/tbb/how-to-verify-signature/)
and [4bflp2c4tnynnbes.onion](http://4bflp2c4tnynnbes.onion/#how-to-verify-signature).
But what if [they were compromised or I was under a MITM attack or lazy and verfied only one version](https://www.qubes-os.org/faq/#should-i-trust-this-website)?
* (or) I could verify the signing key carefully once, sign (or certify) it
by myself and in the future simply verify that my own key is valid (as I
have been doing this a few times on the other side of dualbooting and at
family).
This second method is also [encouraged by Tails](https://tails.boum.org/install/expert/usb/index.en.html).
What if I am wrong and trust the wrong key? I think I am less likely to
trust a wrong key by verifying it carefully and signing it once than
verifying it separately every time. However if I do sign a wrong key, I can
always revoke my signature and then publish the key with my revocation
signature on public keyservers (which I don't usually do, while I cannot
control what people do with the signatures from this repository).
## Inclusion policy
* I am reasonably certain that the key belongs to whom it claims to belong
to or I trust the key to belong to whomever it belongs to.
* I have some need of the key or have attended keysigning party with the
key owner.
## See also
* [Qubes OS: On Digital Signatures and Key Verification](https://www.qubes-os.org/security/verifying-signatures/)
Reference in New Issue View Git Blame Copy Permalink