ken

The trust comes from the association. You can't remove (or keep private) the association and expect to not have to separately rebuild the trust as a consequence. That what you are trying to do is made is inconvenient in GPG is quite intentional I believe. Or maybe I misunderstand your motivations, it's a bit ambiguous and you leave a lot open for interpretation.

What I hear you say is: This would be convenient and easy for the user. Doing it differently, in a safer way that's not problematically under scope for data protection regulations, would be more effort, not what you're used to and "messy". Certain useful features seem like they'd require more upfront work and the while system would be more complex and unfamiliar.

How is that relevant? None of that changes what you're actually asking about or makes it a good approach. I don't see how it'd make it either safer or less legally problematic?

What purpose does (certifying with) the primary key serve there if you don't disclose it prior to rotation? What do you gain by not disclosing it when its only used in this context? It may be you haven't thought it through fully but otherwise sounds like you can get what you want by separate primary keys which you then manually --sign-key between on demand.

The mention of Meta in the summary doesn't fit. The article only mentions them in passing in reference to WhatsApp backups. Misleading and not relevant at all when talking about BitLocker. I think this is an editorial mistake but makes it read like subvertising, which is a shame for reporting on such a serious issue. How Google does keys for ChromeOS and Android would have been much more appropriate to compare with but for some reason this isn't even mentioned.

There's a lot to unpack here but just one thing:

Also potentially thinking may get some free webserver (basically like <20 api calls a days max and small dB with maybe 1000 rows) not for security of the data but more just not having open network ports to the internet without having the security infrastructure.

This sounds like the kind of data you really want to keep locally and I wouldn't trust any free (or even affordable) webhosting business with it. I think it's wise to keep the db and app server local and terminate the TLS locally too. You can still get a cheap VPS or two that you open a secure VPN (like wireguard) and/or SSH tunnel to. Then on the VPS you run can a second, outer, reverse proxy that forwards requests to your internal one over the gateway link. This way you get to keep the data local and safe without having to expose your home net online.

Many people enjoy Tailscale for this. There are full self-hosted options for that too but it sounds like their solution might fit your situation and requirements.

If even that feels unsafe, I really think you need to step up a bit on segregating and isolating your stuff, maybe do some homework on security, before putting sensitive stuff like this on shared infra...

I don’t want to deal with hippa or be responsible for medical data so I specifically don’t want to host the data

The only (legal) way to not deal with HIPPA is to make sure you're not in scope for HIPPA. IANAL but it sounds like you (or worse, somebody else) will retain control and management of medical data with your intended approach no matter where you host it and how other users authorize?

You can't architect, outsource, or encrypt your way out of that. A fully peer-to-peer solution which keeps the data on user devices and under their control and utilizes external server for signalling only but not for relaying or auth might get you there though.

GrapheneOS is as I understand it much less of a one-man party and in a healthier place these days compared to not that long ago. Good to keep in mind when digging up older material.

And whenever Graphene OS is mentioned, one must also mention its leader

Absolutely disagree with that you must do that whenever it is mentioned. That sounds like some unhealthy obsession if anything. There are more interesting conversations to be had. Don't we have bigger fish to fry? Move on, dude.

So let’s say you created a PGP key & then proceeded to create 2 subkeys. Is it possible to just export the particular subkeys only. (let’s say one for encryption & the other for signing) for OTHERS to import into their keyring for authentication & encryption ?

For the private key, yes. First identify the subkey ID:

gpg --keyid=format=long -K
sec   ed25519/5810B9EFF21686DE 2026-01-23 [SC] [expires: 2029-01-22]
      C9E33D15E55A3834EE17A9755810B9EFF21686DE
uid                 [ultimate] alice <alice@localhost>
ssb   cv25519/F1806CEA56544D8D 2026-01-23 [E] [expires: 2029-01-22]

Then export it (note the !):

gpg --export-secret-subkeys -a 'F1806CEA56544D8D!'

If you want the pubkey subkey only: What's your use-case for sharing a certified key without the certificate chain? There are reasons why exporting just the public subkey isn't really a supported feature (outside of some ugly keyring surgery). If you want unsigned "naked" keys wouldn't it make sense to not use subkeys at all to begin with? Or more practically, generate separate root keys with matching user/expiry but each with different set of subkeys present (like the example above with only E) ?

If only... What does fox say?

I'm so glad you want to try!

The problem with both that and Flathub is that I can't seem to pass Githubs signup CAPTCHA whatever I tried (and yes I tried other browsers too lol). Besides, having my old account there arbitrarily blocked on phone number verification in the past, not feeling super keen on having users rely on them for updates, even putting aside whatever I feel about Microsofts and GitHubs role in the ecosystem in general...

However, if anyone would be up for the literal push-part of pushing it up and wouldn't mind collaborating a bit in the process, would be happy to make that happen together (or use your privilege if you're motivated; it's free software yo, just heed the license ;)). There is an Issue thread for coordinating if this is you.

I don't think it should be too involved as the source repo and source tarballs are built in pretty much the same way as LW, which already has a derivation in nixpkgs. Didn't look closer at that derivation but hopefully shouldn't be much more than copying pkgs/applications/networking/browsers/librewolf and replacing some strings.

There is a longer discussion to be had about both what RFP does, how effective it is, and the relative impact on entropy of this particular feature.

For now I will just say that this: Providing configuration for this serves the projects goal of user control and freedom. It should be up to the user to make that call. Us as developer shouldn't unilaterally decide on behalf of everyone. We can't think of everything and we don't always know best. Of course we can still provide guidance and put what we believe is sensible as defaults. I find it odd to criticize empowering users in this way, in particular considering the status quo.

Were it up to me, everyone should have Letterboxing on by default, probably with similar reasoning. I don't see why you wouldn't use it. Everyone enabling it would make us all (ever so little) less fingerprintable. Arguably more meaningful impact than dark/light-theme. And less of an accessibility issue. Even so, we still leave this configurable in the same way as the dynamic theming.

You can also see this way of thinking reflected in allowing loading of your own add-ons from file and allowing userChrome customization. Probably niche power-user features with risks involved and sharp edges exposed but we are developers and maintainers of software, not your sysadmins^1^ or caretakers^2^.

If you fundamentally disagree, well, not all software has to be for everyone. Probably there is already something else (like Tor Browser) that serves your needs and aligns with your philosophy better?

^1^: ...xcept... you want us to be your sysadmin? 👉👈 Call me when you close that seed round bb 😘

^2^: Nope.

If you are on Linux I think you will find interest in Konform Browser, which started as a fork of LibreWolf addressing some of your pains. Am dev so please allow me to shill for a bit.

Specifically to your comment:

ResistFingerprinting is IMHO way overkill and breaks nice things like automatic dark modes just for preserving privacy in the 0.001% of cases where browser fingerprinting matters

Konform can respect user theming preferences and dark mode even under Private Mode / RFP.

Firefox Sync,

While Konform still keeps it off by default, it allows configuring endpoints for a self-hosted or third-party Sync server from the Preferences without having to dive into about:config.

Besides that, it goes even further than LW in disabling built-in remote connections, snoopware, and AI integrations.

I hope you might consider it <3

fedi thread