Commit d7483199 authored by sajolida's avatar sajolida
Browse files

Rephrase WoT

parent 04b2a19e
......@@ -166,27 +166,27 @@ One of the inherent problems of standard HTTPS is that the trust we usually put
on a website is defined by certificate authorities: a hierarchical and closed
set of companies and governmental institutions approved by web browser vendors.
This model of trust has long been criticized and proved several times to be
vulnerable to attacks [[as explained on our warning
page|about/warning#man-in-the-middle]].
vulnerable to attacks [[as explained on our warning page|doc/about/warning#man-in-the-middle]].
We believe instead that users should be given the final say when trusting a
We believe that, instead, users should be given the final say when trusting a
website, and that designation of trust should be done on the basis of human
interaction.
interactions.
The OpenPGP [[!wikipedia Web_of_Trust desc="Web of Trust"]] is a decentralized
trust model based on OpenPGP keys. Let's see that with an example.
The OpenPGP [[!wikipedia Web_of_Trust desc="Web of Trust"]] is a
decentralized trust model based on OpenPGP keys that can help solving
this problem. Let's see that with an example:
1. *You're a friend of Alice and really trust her way of managing OpenPGP keys.
You're trusting Alice's key.*
1. *You are friend with Alice and really trust her way of managing
OpenPGP keys. So you are trusting Alice's key.*
1. *Furthermore, Alice met Bob, a Tails developer, in a conference, and signed
Bob's key. Alice is trusting Bob's key.*
1. *Furthermore, Alice met Bob, a Tails developer, in a conference and certified
Bob's key. So Alice is trusting Bob's key.*
1. *Bob is a Tails developer who directly owns the Tails signing key. Bob fully
trusts Tails signing key.*
1. *Bob is a Tails developer who directly owns the Tails signing key. So
Bob fully trusts the Tails signing key.*
This scenario creates a trust path from you to Tails signing key that could
allow you to trust it without having to depend on certificate authorities.
In this scenario, Alice found a path to trust the Tails signing key
without the need to rely on certificate authorities.
<div class="note">
......@@ -200,13 +200,25 @@ line|install/expert/usb]].</p>
</div>
This trust model is not perfect either and requires both caution and intelligent
supervision by users. The technical details of creating, managing and trusting
OpenPGP keys is outside of the scope of this document.
Relying on the Web of Trust requires both caution and intelligent supervision
by users. The technical details are outside of the scope of this document.
We also acknowledge that not everybody might be able to create good trust path
to Tails signing key since it based on a network of direct human relationships
and the knowledge of quite complex tools such as OpenPGP.
Since the Web of Trust is actually based on human relationships and
real-life interactions, the best is to get in touch with people
knowledgeable about OpenPGP and build trust relationships in order to
find your own trust path to the Tails signing key.
For example, you can start by contacting a local [[!wikipedia Linux_User_Group desc="%s"]],
[[an organization offering Tails training|support/learn]], or other Tails
enthusiasts near you and exchange about their OpenPGP practices.
<div class="tip">
<p>After you built a trust path, you can certify the Tails signing key by
signing it with your own key to get rid of some warnings during the
verification process.</p>
</div>
# Further reading on OpenPGP
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment