@yarmo @musicmatze keyoxide is awesome, I haven't managed to prove my xmpp yet though

@rob @yarmo @musicmatze how is independent proof of identity being used in other systems?

@travisfw @yarmo @musicmatze I don't know if it is, but that's the point? It's a way for an individual to say hey, these are all my accounts and I'm linking them with my public key

@rob
How so? Do they visit me at home to verify I am who I claim to be?
@yarmo @travisfw

@musicmatze @yarmo @travisfw no 🤓

You add proofs to your own PGP key and publish it, these proofs correlate to something you've added to an account you control. I.e. https://gitea.loranger.xyz/rob/gitea_proof

The web app, which is also self hostable, just looks up your key and verifies the proofs are signed by your hey and exist on the related account as seen here https://keyoxide.org/hkp/rob@loranger.xyz
@musicmatze @yarmo like keybase except decentralized and you don't your your private key to some server
@musicmatze an example might also help: https://keyoxide.org/9f0048ac0b23301e1f77e994909f6bd6f80f485d

It's pretty cool IMO but I really don't get why they're (still) using (proof@)metacode.biz [0] for the signature notations (vs. keyoxide.org or ideally even standardizing some scheme and register a notation in the IETF namespace via the IANA - cc @keyoxide).
https://keyoxide.org/about#claims
https://metacode.biz/openpgp/proofs
https://tools.ietf.org/html/rfc4880#section-5.2.3.16
https://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-6

Anyway, most probably don't mind but for me that was a blocker so far (might be a nitpick but it triggers me and even their CLI client written in JS which is also not ideal: https://codeberg.org/keyoxide/cli).

[0]: https://metacode.biz/ - "Metacode is a company that focuses on delivering right, high quality and modern solutions."

@michael yeah we tried making it standard but no luck.

As for the CLI, JS is indeed not an optimal choice but they're all stepping stones. When you're not a multimillion company, you need a few more of those.

Though at this moment not my highest priority, the CLI will also be rewritten, likely in rust

@musicmatze

@keyoxide ok, that makes sense, thanks a lot for the reply! And sorry for my passive-aggressive post, I was missing some important context (like that proof@metacode.biz existed (long) before it became Keyoxide). It's an awesome project (also loving the website/documentation!) and I'm looking forward to using it :)

Hi 👋! I’ve designed the original proof@metacode.biz notation.

Sorry for the inconvenience! As you’ve found out Keyoxide uses that for backwards-compatibility reasons.

The story goes like this: the original used my domain name because that’s what RFC 4880 requires for non-standardized notations. Then Keyoxide begun to use it, and keys.openpgp.org also had profiles at some point: https://gitlab.com/hagrid-keyserver/hagrid/-/merge_requests/172

The domain part was always problematic, everyone wanted their own domain in there (gee, I really need to update the homepage :-/ ) 🤷 and I thought it would be better to get the name in IANA namespace. Unfortunately it didn’t go well, it seems my proposal lacked a couple of people that'd express they would want the proof notation in the spec and so that just didn’t happen.

Using standardized notation would also mean users would have to pass --expert flag to GnuPG when adding notation (minor inconvenience). Seeing you’re not the first (and last) person not to like my domain name I guess the migration to @keyoxide.org is imminent. (Well, people think of these proofs as “keyoxide proofs” now anyway).

Hope this clears some matters up. Sorry for the confusion again!

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!