«This document describes a method of adding social proofs to OpenPGP keys in a way that can be independently verified by clients. This is similar to Keybase but decentralized.»
This is AWESOME!!
Here's how to join @wiktor's decentralized keybase replacement effort, using myself as an example.
Thank you so much, Wiktor! That’s all I ever wanted Keybase to do for me. And now there’s a way to do this, but decentralized. This is awesome.
I added Reddit and Mastodon…
And I set up Wiktor‘s web app, too. https://alexschroeder.ch/openpgp/#0xdf9446eb7b7846387ccc018bc78ca29bacecfeae
@kensanata I will definitely be looking this over. I have been revoking my proofs for many accounts. Continuing a slow retraction from keybase...
@PresGas heh. I deleted my account and left all the proofs. I need to look into this stuff.
@kensanata I believe if you deleted the account the proofs are kinda already deleted. Here is what I see when I look you up. ...I can't look at you except from our shared conversations where I "@"-ed you:
@PresGas Oh, right. What I meant is that I didn't go and delete the DNS TXT entries, or the "it is proven" messages all over the net.
@kensanata Yeah. I am not worried about the social parts so much, but want to clean up the DNS/HTTP entries for sure. That is why I didn't kill them off yet.
@kensanata I... I can't follow that, at all. As in: Not one word of that makes sense.
@dgold my hope is that this is a simple local web app that does what keybase did: it verifies that a key I received belongs to an account I know from GitHub, Reddit, Mastodon, DNS, etc.
@kensanata I don't understand the role of "email@example.com" in this in terms of decentralisation...
@dgold From the FAQ: "RFC 4880 specifies this kind of format as a way to namespace custom notations. You need to create notations under the domain that you own to avoid conflicts. I used my own domain for this protocol. Ideally the notation key would be just proof. Using this kind of keys (without @ namespacing) is only allowed for IETF-approved extensions though (I did not approach them)."
Thus, it's just a key.
@kensanata so instead of firstname.lastname@example.org i can use email@example.com?
None of this is clear in that document...
This needs to be rewritten as a HOWTO
@trechnex Well, I never went to a key signing party and I never signed a key so as far as I'm concerned, that mechanism doesn't work. If you do believe in the web of trust, then you don't need keybase or an alternative because who cares about social media accounts when you have signed proof of identity checking, right?
It'd be kind of like the page-rank algorithm for PGP keys, but would need some thought so you didn't have the equivalent of "SEO" types gaming the system.
@trechnex @kensanata @wiktor would this imply you can't ax an old key, and have to keep it safe and secure forever, or are you imagining some other vector? such as, someone verifying two or more of your social selfs as being connected? more or less independent of your PGP key, which is only the carrier of the information
If the system is going to last longer than five minutes, it probably needs a mechanism for lost keys to be revoked and replaced. So my best guess is trusting the creator of the keys and where you're verifying them rather than the keys themselves.
1: i sign your key because I'm drunk and it's fun
2: i sign your key because i verified your passport and trust that
½: i sign your key because i believe in the Web of Trust
and why i gave up on it:
1: i stopped having fun AND drinking
2: i'm not a cop
½: 1 & 2 made me stop believing in this
Cool! I will share your article with people that want to see how to add social proofs step by step. Thanks for writing it!
Maybe at the bottom you can add a note to publish the key because it may trip some people (proofs are not visible on the web page if they’re not on the key server).
I see on the screenshot that you have this User ID on your key: Alex Schroeder <firstname.lastname@example.org> if you want to you can also put your key on your own domain via Web Key Directory: https://metacode.biz/openpgp/web-key-directory so you wouldn’t have to use keyservers (keys.openpgp.org is fine with me btw :)).
See you! 👋
@kensanata How to pin someone else’s post
@kensanata Oh also! Could we figure out a way to verify your Discord user using a special server and the widget/embed API, and you post your proof in that channel?
@blake that sounds like a lot of work… maybe ask Wiktor?
@kensanata He’s probably the guy to ask, yep
@mathew I fear I'm too simple minded for it. I see a lot of jargon, something about a local keysd daemon and I'm thinking: this is not what I want. In the "Why?" section it says "Key management is hard. We need tools, libraries, apps and documentation to help us." I'm… still confused.
@kensanata It's designed to be like Keybase and not involve PGP grot.
@kensanata Really cool idea! Would be great to have this standardized.
Great idea indeed!
I’m actually ironing out the specification details and if all goes well I'd want to standardize it through the OpenPGP working group. That wouldn’t change anything for end-users except for the notation name.
If it’s standardized it can be just “proof” instead of “email@example.com” that’s currently required to namespace the notation. (I'd still support the old notation for backwards compatibility so there is nothing to worry).
@wiktor one question (noob here) about "firstname.lastname@example.org", is it just a name (an index) you give to your proof attached at your key or it points to some file or object in metacode.biz? BTW thank you for your work.
I'm trying to understand the whole logic of the proccess, I was not on keybase
This is just a key in the hash-table. It could be anything and it would work but RFC 4880 says that notation keys should be either without @ when they are standardized (there are currently no such notations) or in local@domain format where domain is a domain you control. So let’s say you control toot.site domain and think of your own proof system you'd use email@example.com or firstname.lastname@example.org because it’s the owner of toot.site that selects the local part.
And nope it doesn’t mean anything it doesn’t need to have a file or even e-mail address like that (but it’s a good practice).
I explained that in the FAQ too: https://github.com/wiktor-k/openpgp-proofs#faq
@xosem @wiktor @bn4t it’s just a name. «This e-mail-like string is actually the notation key. RFC 4880 specifies this kind of format as a way to namespace custom notations. You need to create notations under the domain that you own to avoid conflicts. I used my own domain for this protocol. Ideally the notation key would be just “proof”.»
Slightly edited, from https://github.com/wiktor-k/openpgp-proofs#faq
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!