mirror of https://gitea.blesmrt.net/mikaela/pgp-alt-wot.git synced 2024-11-13 04:09:22 +01:00

Go to file

Aminda Suomalainen b1e312a31a me.asc: update with UIDs and signatures		2022-06-24 22:37:50 +03:00
crypto-exchange	add crypto-exchange/kraken-{ads,support}.asc	2020-02-22 00:21:51 +02:00
effi	effi: add README.md to avoid ambiguosity	2020-01-28 13:37:01 +02:00
email-cloaking	add email-cloaking/anonaddy.asc	2020-03-03 17:18:43 +02:00
feneas	feneas: add hq-feneas-org.asc	2020-03-21 10:32:56 +02:00
friends	friends: add ccx	2022-06-24 21:48:25 +03:00
gnupg	gnupg: add {andre,niibe,werner}.asc	2021-09-15 19:03:36 +03:00
me	me.asc: update with UIDs and signatures	2022-06-24 22:37:50 +03:00
minisign	minisign: add own public key & releated things	2021-06-09 23:51:59 +03:00
ncsc-fi	ncsc-fi: add advisory, news and signing keys	2020-02-22 00:29:27 +02:00
pirates	fix names	2021-02-13 16:59:19 +02:00
privacytools	privacytools: update jonah.asc	2020-02-22 11:59:21 +02:00
services	services: add creep.im.asc	2020-05-09 16:37:21 +03:00
software	gnupg: add {andre,niibe,werner}.asc	2021-09-15 19:03:36 +03:00
vpn	vpn: add mullvad-code.asc & mullvad-support.asc	2020-02-22 00:34:28 +02:00
me.asc	update README & me/ & add my Unicus key	2020-03-13 19:57:48 +02:00
README.md	README.md: add git.com.de & onion	2022-03-07 17:42:15 +02:00

README.md

pgp-alt-wot

PGP keys signed by me so I don’t have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust

Why?

For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasn’t been tampered with, I have to check that signature and I have two options:

I can always verify the signature, but that takes time and I would need to verify it from both support.torproject.org and 4bflp2c4tnynnbes.onion. But what if they were compromised or I was under a MITM attack or lazy and verfied only one version?
(or) I could verify the signing key carefully once, sign (or certify) it by myself and in the future simply verify that my own key is valid (as I have been doing this a few times on the other side of dualbooting and at family).

This second method is also encouraged by Tails.

What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I don’t usually do, while I cannot control what people do with the signatures from this repository).

Inclusion policy

I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
I have some need of the key or have attended keysigning party with the key owner.
me/me.asc is just my key and place where I try to keep all signatures it has received. Symlinks are legacy reasons and other me’s are also me.

Places to check for keys

GitHub, Gitea and GitLab expose user public keys when you append a .gpg after their profile page (.keys for SSH).
The Internet Archive’s Waybackmachine is always a good place too especially when using together with official websites.
Some people have similar projects or webpages for this purpose
- Artemis’ verify page

README.md

pgp-alt-wot

Why?

Inclusion policy

Places to check for keys

Mirrors

See also

README.md Unescape Escape

pgp-alt-wot

Why?

Inclusion policy

Places to check for keys

Mirrors

See also

README.md