Aminda Suomalainen ⚧
7d0b920df4
I hope I can trust SKS keyservers and web.archive.org and Mullvad and the connection between Mullvad and SKS, because the only information given to me was ACCAF35C and that is trivial to collide and SKS only gave me one key matching it. |
||
|---|---|---|
| effi | ||
| friends | ||
| privacytools | ||
| software | ||
| README.md | ||
README.md
pgp-alt-wot
PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.
WoT? Web Of Trust
Why?
For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasn't been tampered with, I have to check that signature and I have two options:
- I can always verify the signature, but that takes time and I would need to verify it from both support.torproject.org and 4bflp2c4tnynnbes.onion. But what if they were compromised or I was under a MITM attack or lazy and verfied only one version?
- (or) I could verify the signing key carefully once, sign (or certify) it by myself and in the future simply verify that my own key is valid (as I have been doing this a few times on the other side of dualbooting and at family).
This second method is also encouraged by Tails.
What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I don't usually do, while I cannot control what people do with the signatures from this repository).
Inclusion policy
- I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
- I have some need of the key or have attended keysigning party with the key owner.