PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Mikaela Suomalainen 4cddca7da3
software: update network-obs-suse.asc
2 일 전
crypto-exchange add crypto-exchange/kraken-{ads,support}.asc 1 개월 전
effi effi: add README.md to avoid ambiguosity 2 달 전
email-cloaking add email-cloaking/anonaddy.asc 4 주 전
feneas feneas: add hq-feneas-org.asc 1 주 전
friends add friends/leonardo.asc & update me.asc 1 개월 전
me update me.asc 1 주 전
ncsc-fi ncsc-fi: add advisory, news and signing keys 1 개월 전
privacytools privacytools: update jonah.asc 1 개월 전
software software: update network-obs-suse.asc 2 일 전
vpn vpn: add mullvad-code.asc & mullvad-support.asc 1 개월 전
README.md update README & me/ & add my Unicus key 2 주 전
me.asc update README & me/ & add my Unicus key 2 주 전

README.md

pgp-alt-wot

PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust

Why?

For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasn't been tampered with, I have to check that signature and I have two options:

This second method is also encouraged by Tails.

What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I don't usually do, while I cannot control what people do with the signatures from this repository).

Inclusion policy

  • I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
  • I have some need of the key or have attended keysigning party with the key owner.
  • me/me.asc is just my key and place where I try to keep all signatures it has received. Symlinks are legacy reasons and other me's are also me.

See also