pgp-alt-wot/README.md

# pgp-alt-wot

PGP keys signed by me so I don't have to validate the same keys
again-and-again and can just trust my own paper verified fingerprint in the
subsequent validations.

WoT? [Web Of Trust](https://en.wikipedia.org/wiki/Web_of_trust)

* * * * *

Example use case for this repository is [Tor Browser](https://torproject.org/),
I need to download it on most of systems and I need to verify it and it's
painful to verify the PGP key all the time, while I can just verify my own
fingerprint from paper and see that it has signed the keys. I have done this
at least twice on Windowses first installing GPG through Chocolatey.

* * * * *

I don't know if there is point in putting down formal signing requirements,
but what has been my policy at the time of writing is:

NOTE: this section is written from memory so may be inaccurate

* friends - knowing for a long time through various connections and seeing
  at times seeing IDs (or visiting both directions) and otherwise having
  so deep relationship that lying about identity wouldn't be easily possible
* privacytools - confirmed from the people themselves, their websites,
  privacytools.io (WKD in git) and similar.
* software - used their verification instructions (of varying strength)
    * keepassxc.asc  mullvad.asc  tails.asc  tor-browser-developers.asc  yggdrasil.asc
    * keepassxc - checked their website through normal and Tor Browser
    * mullvad - checked their website and onion
    * tails - followed their verification instructions (including checking
      that it's signed by a Debian developer)
    * tor-browser - followed their checking instructions
    * yggdrasil - checked their website and comitted apt repo adding to git

* * * * *

TODO:

* add links to the previous section
* add OnionShare?
Initial commit 2020-01-24 21:28:10 +02:00			`# pgp-alt-wot`

README.md: add more information 2020-01-24 22:48:27 +02:00			`PGP keys signed by me so I don't have to validate the same keys`
			`again-and-again and can just trust my own paper verified fingerprint in the`
			`subsequent validations.`

			`WoT? [Web Of Trust](https://en.wikipedia.org/wiki/Web_of_trust)`

			`* * * * *`

			`Example use case for this repository is [Tor Browser](https://torproject.org/),`
			`I need to download it on most of systems and I need to verify it and it's`
			`painful to verify the PGP key all the time, while I can just verify my own`
			`fingerprint from paper and see that it has signed the keys. I have done this`
			`at least twice on Windowses first installing GPG through Chocolatey.`

			`* * * * *`

			`I don't know if there is point in putting down formal signing requirements,`
			`but what has been my policy at the time of writing is:`

			`NOTE: this section is written from memory so may be inaccurate`

			`* friends - knowing for a long time through various connections and seeing`
			`at times seeing IDs (or visiting both directions) and otherwise having`
			`so deep relationship that lying about identity wouldn't be easily possible`
			`* privacytools - confirmed from the people themselves, their websites,`
			`privacytools.io (WKD in git) and similar.`
			`* software - used their verification instructions (of varying strength)`
			`* keepassxc.asc mullvad.asc tails.asc tor-browser-developers.asc yggdrasil.asc`
			`* keepassxc - checked their website through normal and Tor Browser`
			`* mullvad - checked their website and onion`
			`* tails - followed their verification instructions (including checking`
			`that it's signed by a Debian developer)`
			`* tor-browser - followed their checking instructions`
			`* yggdrasil - checked their website and comitted apt repo adding to git`

			`* * * * *`

			`TODO:`

			`* add links to the previous section`
			`* add OnionShare?`