Go to file
Mikaela Suomalainen 66084c069b
software: add fdroid-bin.asc
verified from:

* https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/
* https://web.archive.org/web/20171220230937/https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/
* + checked both links with Tor Browser

I wish I had TOFU statistics for it as I have been installing the binary
with adb, but that must have been before I started using trust-model
gpg+tofu
2020-01-30 15:37:31 +02:00
effi effi: add README.md to avoid ambiguosity 2020-01-28 13:37:01 +02:00
friends friends/cradamy: fix file suffix 2020-01-26 22:57:25 +02:00
privacytools privacytools: add README.md to clarify it being PrivacyTools.io 2020-01-26 22:58:52 +02:00
software software: add fdroid-bin.asc 2020-01-30 15:37:31 +02:00
README.md rewrite parts of README.md 2020-01-26 22:53:44 +02:00

pgp-alt-wot

PGP keys signed by me so I dont have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust

Why?

For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasnt been tampered with, I have to check that signature and I have two options:

This second method is also encouraged by Tails.

What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I dont usually do, while I cannot control what people do with the signatures from this repository).

Inclusion policy

  • I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
  • I have some need of the key or have attended keysigning party with the key owner.

See also