oh! i was wondering why the recommended way to verify ur masto was to post a keybase signed message when even https://keybase.io/verify doesn't support keybase signed messages any more
it's because a pgp signed message is longer than 500 chars. it's only like 510 if u remove the --begin-- and --end-- thingies but it's still too long for a toot
probly would make sense just to put a signed proof on my keybase.pub instead? ๐ค then it could be pgp OR keybase bc no char limits
@00dani the purpose of verification?
@Azrael it proves that my masto profile belongs to the same person as my keybase, which also has proofs that my twitter, facebook, github, etc., belong to the same person
or at least that all those people have the same private key anyway
basically it's a way to leverage trust across social profiles? if u believe my birdsite profile really belongs to me, then u have proof that my masto belongs to me as well
@00dani interesting concept.
@Azrael yeah it's cool :3 actually i have a bunch of keybase.io invites if you'd like one! it's pretty fun, especially now it actually provides something obviously useful (chat between keybase users, which is encrypted and signed :3 )
@00dani I'm pretty ignorant of crypto and attack cases and so on, but I'm curious how that would work. Do you take a toot, and then sign and host it on keybase? But then it could be an imposter's keybase key and account pretending to be your account from that angle, although I guess that's where web of trust comes in.
@ikea_femme well the idea of keybase is leveraging social profiles as an additional web of trust - if u trust my twitter account is really me, then u can cryptographically verify my facebook account is ALSO really me bc i have proofs on keybase for both
here's the masto proof i just wrote https://00dani.keybase.pub/proofs/mastodon.txt and (once i toot it) it'll prove that whoever owns that public key owns this masto account as well
u gotta Just Trust at least one of my profiles tho
@00dani Posting a pgp verification in 2 toots works as well! although I wasn't able to verify it last time someone did that :(
@nightpool i'm not the biggest fan of signatures u can't verify ;)
i think my favourite approach is linking the proof plus a cryptographically-secure hash of it on a service with character limits - like i just did in my previous toot :3 that's what keybase already does for twitter and hacker news, which is what gave me the idea
then u can use pgp clearsigned messages off-site, which are pretty and easy to read as well as reliable <3
also i guess posting anything with my full masto username on it to my keybase.pub actually constitutes a proof in itself since keybase.pub is all signed?? neat
probly would still use a pgp-signed message tho because keybase.pub doesn't indicate which key i used