Intro
So I recently started a project on archiving/mirroring major sources of Transgender and HRT information with the ideal outcome being to host it in several places accessible even within countries with evil firewalls such as tor and IPFS, most likely more.
Gonna work on an archival project of trans info websites, more than just my trans-info page but full archival backups of the different websites along with many accessible ways of accessing it (Torrent, tor, ipfs, more probably). Anyone have good recommendations for archive formats?
Archiving and host that archive is the easy part, use a tool like Browsertrix Crawler to create a WACZ archive, host it places, so people can browse it in replayweb.page and alternative supply the executable for the offline versions if needed then bam an archive that can be browsed and downloaded any time!
The issue
How can you verify that the archive came from me? or that the content wasn't modified? Or that you aren't being hit with a MITM attack?
Easy, just use minisign!
This needs to be accessible and trustworthy to baby trans people and those without technical knowledge.
Post about changes form an accessible social account like your bluesky!
This doesn't really solve the issue of verifiability if my social is compromised.
Hash and/or sign the archives in a public manor so people can verify that!!
How can they trust the hash or signature listed?? What if it's being fudged?? But this feels like the right track.
No matter the way this is handled it most likely needs to be a few unconnected bits that someone connects together themselves in order to trust the outcome, if that makes sense.
Other public trans people backlink to this entry with a hash of the contents and verification that they trust it
User looks for the information
Finds out about the archive/mirror
Archive/mirror requires password to find the URL
The same trusted account should have a hash of the content/public key they can verify the website's output with
Password & signing key listed on my PDS
They get the URL and can now view the content
Give the url to some kind of whole page hasher/verifyer website?
Again others should be able to backlink and certify they trust it with a hash of the entry/pubkey
This method is the vague idea I have right now, and it's convoluted and still annoying and users need to somehow know to do this series of checks??
So what do we do?
I don't currently have a solution to this thought experiment, I am still working on the archiving phase so I could use your help!!
Please give me your ideas, links, topics to research or anything else either in the comments of the bluesky post bellow or through one of the other contact methods mentioned:
Signal:
Email:
Minisign key - https://aria.coffee/static/keys/aria-minisign.pub
Minisign output for a text file called "email" with no file extension containing just the email:
untrusted comment: signature from minisign secret key
RUQLW3LQVJ3g5pi1BjgJbpp4naw7AMY50i61oid4aWWgl4YtiqkwOqTGpkpfth+OiLy8SS9tHfQPYFPW/AXRHWRm4vZq5nv15wo=
trusted comment: timestamp:1773543916 file:email hashed
dOZWEHOzyvYF4uPhYlf+Rxb53+aUzVv0ftkePX11w91EgtaNeYmSi7ZqtMqyatXhZP0scbQYYfAZ3KFru3baCg==SSH public key (for age encryption) - https://git.witchcraft.systems/aria.keys
PGP public key - https://keys.openpgp.org/search?q=hello%40aria.coffee