PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations. Includes keys used within PPFI such as Matterbridge and KeePassXC.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
Mikaela Suomalainen bbf128d10e
Add my WTOP key
9 hours ago
crypto-exchange add crypto-exchange/kraken-{ads,support}.asc 2 years ago
effi effi: add README.md to avoid ambiguosity 2 years ago
email-cloaking add email-cloaking/anonaddy.asc 2 years ago
feneas feneas: add hq-feneas-org.asc 2 years ago
friends friends: update Shamil's key 5 days ago
gnupg gnupg: add {andre,niibe,werner}.asc 5 days ago
me Add my WTOP key 9 hours ago
minisign minisign: add own public key & releated things 3 months ago
ncsc-fi ncsc-fi: add advisory, news and signing keys 2 years ago
pirates fix names 7 months ago
privacytools privacytools: update jonah.asc 2 years ago
services services: add creep.im.asc 1 year ago
software gnupg: add {andre,niibe,werner}.asc 5 days ago
vpn vpn: add mullvad-code.asc & mullvad-support.asc 2 years ago
README.md README.md: add see also for DVV S/MIME cert search 3 months ago
me.asc update README & me/ & add my Unicus key 2 years ago

README.md

pgp-alt-wot

PGP keys signed by me so I don't have to validate the same keys again-and-again and can just trust my own paper verified fingerprint in the subsequent validations.

WoT? Web Of Trust

Why?

For example, I use Tor Browser everywhere and download it directly from their website. They have signed it using GPG (a OpenPGP implementation) and to ensure it hasn't been tampered with, I have to check that signature and I have two options:

This second method is also encouraged by Tails.

What if I am wrong and trust the wrong key? I think I am less likely to trust a wrong key by verifying it carefully and signing it once than verifying it separately every time. However if I do sign a wrong key, I can always revoke my signature and then publish the key with my revocation signature on public keyservers (which I don't usually do, while I cannot control what people do with the signatures from this repository).

Inclusion policy

  • I am reasonably certain that the key belongs to whom it claims to belong to or I trust the key to belong to whomever it belongs to.
  • I have some need of the key or have attended keysigning party with the key owner.
  • me/me.asc is just my key and place where I try to keep all signatures it has received. Symlinks are legacy reasons and other me's are also me.

Places to check for keys

Mirrors

See also