PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations. Includes keys used within PPFI such as Matterbridge and KeePassXC.
Go to file
Mikaela Suomalainen c867b7f94e
me/digitalents.asc: bumb expiry
2021-11-12 12:18:47 +02:00
crypto-exchange add crypto-exchange/kraken-{ads,support}.asc 2020-02-22 00:21:51 +02:00
effi effi: add README.md to avoid ambiguosity 2020-01-28 13:37:01 +02:00
email-cloaking add email-cloaking/anonaddy.asc 2020-03-03 17:18:43 +02:00
feneas feneas: add hq-feneas-org.asc 2020-03-21 10:32:56 +02:00
friends friends: update Shamil's key 2021-09-15 19:10:25 +03:00
gnupg gnupg: add {andre,niibe,werner}.asc 2021-09-15 19:03:36 +03:00
me me/digitalents.asc: bumb expiry 2021-11-12 12:18:47 +02:00
minisign minisign: add own public key & releated things 2021-06-09 23:51:59 +03:00
ncsc-fi ncsc-fi: add advisory, news and signing keys 2020-02-22 00:29:27 +02:00
pirates fix names 2021-02-13 16:59:19 +02:00
privacytools privacytools: update jonah.asc 2020-02-22 11:59:21 +02:00
services services: add creep.im.asc 2020-05-09 16:37:21 +03:00
software gnupg: add {andre,niibe,werner}.asc 2021-09-15 19:03:36 +03:00
vpn vpn: add mullvad-code.asc & mullvad-support.asc 2020-02-22 00:34:28 +02:00
README.md README.md: remove dead link to Jonah's verify page 2021-09-28 14:08:07 +03:00
me.asc update README & me/ & add my Unicus key 2020-03-13 19:57:48 +02:00

README.md

pgp-alt-wot

PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust

Why?

For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasn't been tampered with, I have to check that signature and I have two options:

This second method is also encouraged by Tails.

What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I don't usually do, while I cannot control what people do with the signatures from this repository).

Inclusion policy

  • I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
  • I have some need of the key or have attended keysigning party with the key owner.
  • me/me.asc is just my key and place where I try to keep all signatures it has received. Symlinks are legacy reasons and other me's are also me.

Places to check for keys

  • GitHub, Gitea and GitLab expose user public keys when you append a .gpg after their profile page (.keys for SSH).
  • The Internet Archive's Waybackmachine is always a good place too especially when using together with official websites.
  • Some people have similar projects or webpages for this purpose

Mirrors

See also