Auditors: start at Trust Center
Trust • Key roles

Key roles: verification vs encrypted contact

Two different keys, two different jobs. Keeping them separate eliminates reviewer drift questions. If proof is missing or inconsistent ⇒ HOLD (fail‑closed).

Current machine-readable production pointer phase: READY_TO_SIGN. Public reviewer status remains HOLD until detached signatures and publication proofs are complete.

Truth strip Reviewer routing v80.5

Single-source reviewer navigation. If any page text conflicts with a signed receipt, treat it as HOLD and follow the receipt.

/trust/reviewer-index/ Reviewer Index Key roles Site‑release latest
/.well-known/mvg-reviewer-index.json Machine index Signature
Canonical pointer /.well-known/mvg-prod.json (+ .asc) is the single signed production pointer. Determine state from signature validity (fail‑closed): missing ⇒ HOLD; invalid ⇒ FAIL; valid signature ⇒ proceed to verify referenced receipts offline.
Key roles site_release_verification_keyring_url = /trust/site-release/latest/pgp.asc · security_contact_encryption_key_url = /pgp.asc · security.txt
Verifier states PASS: all required proofs verify · HOLD: proof is missing, withheld, or unverifiable (fail‑closed) · FAIL: proof is present but invalid or inconsistent.
/trust/reviewer-index/ Open Reviewer Index

Role-scoped naming (canonical)

These names are fixed to prevent drift questions across pages, receipts, and reviewer conversations.

  • site_release_verification_keyring_url — verification keyring for site-release receipts.
  • site_release_verification_keyring_fingerprint — derived from the keyring (do not hardcode).
  • security_contact_encryption_key_url — encryption key for security reports.
  • security_contact_encryption_key_fingerprint — derived from /pgp.asc (do not hardcode).
  • detached_signature_signer_fingerprint — expected signer fingerprint declared per detached signature.
  • expected_verifier_result — one of PASS, HOLD, or FAIL (deterministic; fail‑closed).

1) Site‑release verification keyring

Used to verify site‑release receipts and detached signatures.

/trust/site-release/latest/pgp.asc

Where you use it: Site release (latest) · Offline verification

2) Security contact encryption key

Used to encrypt vulnerability reports and sensitive disclosures to MVG security.

/pgp.asc

Where you use it: Contact · Responsible disclosure policy

Reviewer quick answers

  • Release authenticity? Use the site‑release verification keyring (/trust/site-release/latest/pgp.asc).
  • Encrypt a security report? Use the security contact encryption key (/pgp.asc).
  • See different fingerprints? Treat as HOLD and escalate before proceeding.

Why separate roles?

A verification keyring is part of the public integrity rail (deterministic, replay‑verifiable). A contact encryption key is for confidential inbound communications. Mixing them increases drift risk and reviewer confusion.

This page exists so a Big Tech reviewer can answer “which key for what?” in under 30 seconds.