gpg for anonymous users - Alternative to the web of trust?

adrelanos adrelanos at
Tue Mar 26 17:35:58 CET 2013

As a brief introduction, I am adrelanos, the strictly pseudonymous
(anonymous) maintainer of Whonix, an Open Source Anonymous Operating
System. [1] I gpg-sign binary releases and source code (git tags) in
order to authenticate Whonix to users, and prevent adversaries from
distributing altered versions in my name.

Given that I can't meet with other Linux or Tor developers who could
verify my identity and sign my key, how can I establish a web of trust
for potential Whonix users to rely on? More generally, how can strictly
pseudonymous people establish webs of trust?

In an attempt to bootstrap my public key from the Web, it's available on
keyservers, in Whonix source code and binary releases, and on my
homepage and project page. [3] By mirroring my key to many http, https
and/or .onion sites, it becomes harder and harder to impersonate me.

However, that hasn't worked out very well, because search engines
apparently don't index keys, and so there is no way to verify my list of
public key mirrors.

How can I establish a pseudonym that no one can easily fake while
remaining anonymous?


More information about the Gnupg-users mailing list