PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations. Includes keys used within PPFI such as Matterbridge and KeePassXC.
Go to file
Aminda Suomalainen ⚧ 7d0b920df4
software: add insync-repo.asc
I hope I can trust SKS keyservers and web.archive.org and Mullvad and
the connection between Mullvad and SKS, because the only information
given to me was ACCAF35C and that is trivial to collide and SKS only
gave me one key matching it.
2020-02-01 13:33:12 +02:00
effi effi: add README.md to avoid ambiguosity 2020-01-28 13:37:01 +02:00
friends friends/cradamy: fix file suffix 2020-01-26 22:57:25 +02:00
privacytools privacytools: add README.md to clarify it being PrivacyTools.io 2020-01-26 22:58:52 +02:00
software software: add insync-repo.asc 2020-02-01 13:33:12 +02:00
README.md rewrite parts of README.md 2020-01-26 22:53:44 +02:00

README.md

pgp-alt-wot

PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust

Why?

For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasn't been tampered with, I have to check that signature and I have two options:

This second method is also encouraged by Tails.

What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I don't usually do, while I cannot control what people do with the signatures from this repository).

Inclusion policy

  • I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
  • I have some need of the key or have attended keysigning party with the key owner.

See also