Anonymous Web of Trust¶
While the PGP public infrastructure is very useful and easy to use, it also provides complete social graphs to the public. For many people, this will put them at high risk, so we should use techniques for an anonymous web of trust. Or at least not making the social graph available to people outside of that social graph.
- Anonymous Web of Trust prototype lib
- mode for exclusive, p2p syncing of signatures, no uploads to PGP servers
- gnupg lsign "sign a key locally"
- A conversation with dkg on p2p PGP sig swaps
- caff emails the sigs instead of posting them to the keyserver
- allows keyholder to decide how the sig is distributed
- Evolution supports directly importing the sigs from the emails
- So does thunderbird w/ enigmail
- computer needs working SMTP server
- Anymime Key Signing Party - Android Key Signing GUI which posts sigs via scp
- avoiding tracking connections to PGP servers
- HTTPS to prevent snooping of data
- Tor to prevent tracking of notable IPs
- Hidden tor service descriptor baked into key (todo: flesh this out)