Collaborate Disseminate
Let’s say I want to download a golang.
How to understand which website is official for a project without referring to a some kind of authority like Wikipedia or a search engine rank?
Is there a mechanism to find which website is official a… Continue reading How to understand which website is official for a project?
I’m wondering if there are any known vulnerabilities that are common among web of trust models that limit the degree to which they can be trusted.
For example couldn’t someone offer a bribe to have their fraudulent key signed? If the bribe… Continue reading Web of trust authentication vulnerabilities? [closed]
I consider WEB of trust as a failed initiative (search for SKS key poisoning mass occurred in 2019).
PGP is used to sign software in source (commits / tags in Git/Mercirual) & binary (compiled artifacts) forms.
Currently when I downloa… Continue reading Cross signing practice for PGP package signing keys?
For a given publisher of docker images on Docker Hub (let’s say debian), how do I download their root release/image signing key and verify its authenticity from multiple sources out-of-band from each-other?
Though it doesn’t appear to be c… Continue reading Docker: How to download & verify a publisher’s root key (out-of-band, distinct-domain cryptographic verification, WoT)
How do you assess the trustworthiness of a new website? Especially to download and then install software from.
Edit: My underlying concern is to:
Trust the website.
Trust the website to not inject installer trash into/over the top of th… Continue reading How to assess a website’s trustworthiness?
I have a webapp that sends payloads to clients. I want to sign these payloads so the clients can verify they are from my application. I created a public/private key pair and now need to somehow distribute the public key in a way that the c… Continue reading Public key authencity
This is not a technical question, but I am hoping there is some technical answer.
While looking at Deno: Linking to third party code, and recent news, it seems to me that there is an increasing need to decide whether websites are trustwort… Continue reading Is there a system that can evaluate whether a website is trustworthy? [closed]
Two questions on signatures.
I am trying to understand the various types of "trust signature". The man page says, "For more information please read the sections “Trust Signature” and “Regular Expression” in RFC-4880."… Continue reading Validity, Owner Trust, Trust Signatures & Certification Level
I have read about The OpenPGP trust model but I don’t see any mention of the specific signature types. Are all signature types (sig0 – sig3) treated the same by tools such as gpg or the PGP Pathfinder?
Continue reading Web of trust and signature types? (sig1, sig2, etc)
I need to develop my web of trust. I don’t live in or near a metropolitan area and as such it is a bit difficult to find possible local people to sign. I assume I must not be alone in that context.
My question: is there any … Continue reading Is any key signing party directory – or a mean to facilitate such meetings, exists?