PGP keys signed by me so I don't have to validate the same keys
again-and-again and can just trust my own paper verified fingerprint in the
WoT? Web Of Trust
For example, I use Tor Browser everywhere and
download it directly from their website. They have signed it using GPG (a
OpenPGP implementation) and to ensure it hasn't been tampered with, I have
to check that signature and I have two options:
This second method is also encouraged by Tails.
What if I am wrong and trust the wrong key? I think I am less likely to
trust a wrong key by verifying it carefully and signing it once than
verifying it separately every time. However if I do sign a wrong key, I can
always revoke my signature and then publish the key with my revocation
signature on public keyservers (which I don't usually do, while I cannot
control what people do with the signatures from this repository).
- I am reasonably certain that the key belongs to whom it claims to belong
to or I trust the key to belong to whomever it belongs to.
- I have some need of the key or have attended keysigning party with the
me/me.asc is just my key and place where I try to keep all signatures it
has received. Symlinks are legacy reasons and other me's are also me.