OpenPGP Proofs
«This document describes a method of adding social proofs to OpenPGP keys in a way that can be independently verified by clients. This is similar to Keybase but decentralized.»
github.com/wiktor-k/openpgp-pr

Follow

This is AWESOME!!
Here's how to join @wiktor's decentralized keybase replacement effort, using myself as an example.
alexschroeder.ch/wiki/2020-05-

Thank you so much, Wiktor! That’s all I ever wanted Keybase to do for me. And now there’s a way to do this, but decentralized. This is awesome.

@kensanata @wiktor i mean, as long as we don't try to use PGP for anything serious like encryption or signing i guess i'm okay with this

@hirojin @kensanata @wiktor *sends burn ointment* 😂

I have to admit that a more compelling option would include a mechanism for other people who can verify your identity to sign your key. That's the main thing that was always missing from the keybase equation.

@trechnex Well, I never went to a key signing party and I never signed a key so as far as I'm concerned, that mechanism doesn't work. If you do believe in the web of trust, then you don't need keybase or an alternative because who cares about social media accounts when you have signed proof of identity checking, right?
@hirojin @wiktor

@kensanata @hirojin @wiktor I was thinking in terms of other user accounts on other servers saying "yes, that's the real deal" and using that as an extra form of authority in addition to proofs.

It'd be kind of like the page-rank algorithm for PGP keys, but would need some thought so you didn't have the equivalent of "SEO" types gaming the system.

@trechnex @kensanata @wiktor would this imply you can't ax an old key, and have to keep it safe and secure forever, or are you imagining some other vector? such as, someone verifying two or more of your social selfs as being connected? more or less independent of your PGP key, which is only the carrier of the information

@hirojin @kensanata @wiktor as a person who's not a security researcher, I don't pretend to know the answer to that 😅

If the system is going to last longer than five minutes, it probably needs a mechanism for lost keys to be revoked and replaced. So my best guess is trusting the creator of the keys and where you're verifying them rather than the keys themselves.

@kensanata @trechnex @wiktor (i have been to multiple key signing parties (in my youth), which is why i don't believe in the Web of Trust)

@clacke @kensanata @trechnex there are 2½ types of key signing (party)

1: i sign your key because I'm drunk and it's fun
2: i sign your key because i verified your passport and trust that
½: i sign your key because i believe in the Web of Trust

and why i gave up on it:

1: i stopped having fun AND drinking
2: i'm not a cop
½: 1 & 2 made me stop believing in this

@trechnex @hirojin @kensanata @wiktor Wouldn't strengthening the trust be covered under traditional key servers or am I missing a piece of this?

Cool! I will share your article with people that want to see how to add social proofs step by step. Thanks for writing it!

Maybe at the bottom you can add a note to publish the key because it may trip some people (proofs are not visible on the web page if they’re not on the key server).

I see on the screenshot that you have this User ID on your key: Alex Schroeder <alex@alexschroeder.ch> if you want to you can also put your key on your own domain via Web Key Directory: https://metacode.biz/openpgp/web-key-directory so you wouldn’t have to use keyservers (keys.openpgp.org is fine with me btw :)).

See you! 👋

@kensanata Oh also! Could we figure out a way to verify your Discord user using a special server and the widget/embed API, and you post your proof in that channel?

Sign in to participate in the conversation
Octodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!