Trust & provenance
This site's authenticity is independently verifiable — identity, keys, signatures, and privacy posture in one place, and checkable live in your own browser.
Verify in your browser
The checks below run locally in your browser (WebCrypto + same-origin fetches): they re-compute hashes and verify the provenance manifest's Ed25519 signature against the published key.
What these checks prove — and don't
These checks prove that the downloaded artifacts match the published hashes, that signed artifacts verify against the published OpenPGP key, and that the current Ed25519 key is authorized for HTTP response signatures. They do not prove that every biographical claim is externally verified, nor do they replace independent verification of third-party profiles.
Identity
did:web:patrickaudley.com— decentralized identifier (/.well-known/did.json)/.well-known/webfinger— WebFinger/.well-known/nostr.json— Nostr NIP-05- Ethereum / ENS identity:
patrickaudley.com·0x3FEFC1B6D9b6A851bfC274fEa1929c31c6F23cf2·did:pkh:eip155:1:0x3FEFC1B6D9b6A851bfC274fEa1929c31c6F23cf2
Keys & encryption
The site uses a dual-key model: a long-term PGP key as durable identity, and an annually-rotated Ed25519 key that signs HTTP responses.
- OpenPGP public key:
/.well-known/pgp.txt· WKD (/.well-known/openpgpkey/)DF3B 3209 EEDB 36C8 00F0 9C1F 1712 C2A1 55DF 887E - Ed25519 signing-key directory:
/.well-known/http-message-signatures-directory(RFC 9421) - Key-relationship assertion:
/.well-known/keys.txt - The key is also discoverable via DNS — a DNSSEC-signed
OPENPGPKEYrecord (RFC 7929, under_openpgpkey) for DANE discovery. - Key continuity: signed transition statement · email-identity audit (RFC 3161 timestamped)
Signed artifacts & content provenance
- Signed resources carry detached OpenPGP signatures (
.asc); the manifest is at/.well-known/manifest.txt. - Content-provenance manifest (C2PA-style, issuer = the site's DID, EdDSA JWS over Markdown and LLM text):
/.well-known/content-provenance.json
Verification recipes
Import the published key, verify a signed artifact, then inspect provenance:
# inspect the key's fingerprint BEFORE importing — compare it to the one above
curl -s https://patrickaudley.com/.well-known/pgp.txt | gpg --import-options show-only --with-fingerprint --import
# then import, fetch a signed artifact + its signature, and verify
curl -s https://patrickaudley.com/.well-known/pgp.txt | gpg --import
curl -sO https://patrickaudley.com/llms.txt
curl -sO https://patrickaudley.com/llms.txt.asc
gpg --verify llms.txt.asc llms.txt
curl -s https://patrickaudley.com/.well-known/content-provenance.json | jq '.subjects[].sha256'Page integrity
- This page's scripts and styles are pinned with SRI hashes (the live check above recomputes and compares them).
- Build:
adc8861· generated
Security contact
/.well-known/security.txt— RFC 9116 (expires )- Secure / encrypted channel: secure@blackcatinformatics.ca
Privacy posture
- The site honours the GPC (Global Privacy Control) signal:
/.well-known/gpc.json - No cookies, no analytics, no third-party trackers; server logs are kept for security and capacity only.
- Privacy enquiries: secure@blackcatinformatics.ca · Legal & privacy
Mail & transport security (DNS)
Published records for patrickaudley.com (the live check fetches them via DNS-over-HTTPS):
| Record | Posture |
|---|---|
SPF | -all (strict) include:spf.blackcat.ca |
DKIM | published Google selector |
DMARC | p=reject sp=reject |
MTA-STS | enforce Google MX |
TLS-RPT | enabled |
DNSSEC | signed ECDSAP256SHA256 |
Standards index
| Standard | Implements |
|---|---|
| W3C DID | /.well-known/did.json |
| WebFinger (RFC 7033) | /.well-known/webfinger |
| OpenPGP WKD | /.well-known/openpgpkey/ |
| RFC 7929 (DANE OPENPGPKEY) | …_openpgpkey.<domain> (DNSSEC) |
| RFC 9116 | /.well-known/security.txt |
| RFC 9421 | /.well-known/http-message-signatures-directory |
| RFC 9264 | /.well-known/api-catalog · catalog |
| C2PA | /.well-known/content-provenance.json |
| NIP-05 | /.well-known/nostr.json |
| GPC | /.well-known/gpc.json |