From 34a506e9651a67278e3ba886e3818d27464aea15 Mon Sep 17 00:00:00 2001 From: Yarmo Mackenbach Date: Mon, 29 Jun 2020 18:02:08 +0200 Subject: [PATCH] Add guides --- pages/guides/openpgp-proofs.content.html | 26 +++++++++++++++++++ pages/guides/openpgp-proofs.title.html | 1 + pages/guides/proofs.content.html | 21 +++++++++++++++ pages/guides/proofs.title.html | 1 + .../guides/selfhosting-keyoxide.content.html | 5 ++++ pages/guides/selfhosting-keyoxide.title.html | 1 + 6 files changed, 55 insertions(+) create mode 100644 pages/guides/openpgp-proofs.content.html create mode 100644 pages/guides/openpgp-proofs.title.html create mode 100644 pages/guides/proofs.content.html create mode 100644 pages/guides/proofs.title.html create mode 100644 pages/guides/selfhosting-keyoxide.content.html create mode 100644 pages/guides/selfhosting-keyoxide.title.html diff --git a/pages/guides/openpgp-proofs.content.html b/pages/guides/openpgp-proofs.content.html new file mode 100644 index 0000000..dd5008b --- /dev/null +++ b/pages/guides/openpgp-proofs.content.html @@ -0,0 +1,26 @@ +

Decentralized OpenPGP identity proofs

+ +

Decentralized OpenPGP identity proofs are the brainchild of Wiktor who wrote the original guide on his website (a suggested read to get first-hand information).

+ +

Unlike proofs provided by for example Keybase, OpenPGP proofs are stored inside the PGP keys themselves instead of being mere signatures. Since this operation requires keys with "certify" capabilities and not simply "sign" capabilities, these OpenPGP proofs could be considered more secure.

+ +

What an OpenPGP proof looks like

+ +

Every OpenPGP identity proof is stored in the PGP key as a notation that looks like this:

+proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891 + +

This particular proof is for a Twitter account (read more in the Twitter guide). Let's analyse the notation:

+ + + +

The proof should always link to a document that can be parsed as JSON to make the verification easy and feasible by the browser. Sometimes however, due to CORS restrictions or API requirements (as is the case for Twitter), no such link is provided by the platform. In these rare exceptional cases, the verification process is delegated to the Keyoxide server which will communicate directly with the platform's servers to get the content of the post.

+ +

Your turn

+ +

If you'd like to add decentralized OpenPGP identity proofs to your key, go to the guides and find the right one for your platform of choice. You may find the process to be remarkably easy.

+ +

If your platform is not in the list of guides, it's not supported yet. See the contributing guide for more information on how to get that platform supported.

diff --git a/pages/guides/openpgp-proofs.title.html b/pages/guides/openpgp-proofs.title.html new file mode 100644 index 0000000..ee02576 --- /dev/null +++ b/pages/guides/openpgp-proofs.title.html @@ -0,0 +1 @@ +How OpenPGP identity proofs work diff --git a/pages/guides/proofs.content.html b/pages/guides/proofs.content.html new file mode 100644 index 0000000..2fcf41c --- /dev/null +++ b/pages/guides/proofs.content.html @@ -0,0 +1,21 @@ +

Let's see how to verify identity proofs.

+ +

Obtain a public key for verification

+ +

The idea is that anyone can add identity proofs of various platforms in their keys. Since this information is kept in the public key, you could take anyone's public key and check whether they indeed have control over the accounts they claim to.

+ +

If you already have a public key (or its fingerprint) with OpenPGP identity proofs you would like to use to verify, great! If not, you could use the following fingerprint:

+9f0048ac0b23301e1f77e994909f6bd6f80f485d + +

Verify proofs

+ +

Open the keyoxide.org/proofs page and paste the fingerprint in the Email / key id / fingerprint field. Scroll down and press the VERIFY PROOFS button.

+

You now see a list of domains and/or accounts on platforms for which the owner of the public key claims to have an control over.

+

If the last link on a line says proof, the proof could not be verified for any number of reasons but Keyoxide still allows to check the supposed proof and decide for yourself whether you trust the claim. If the

+

If the last link on a line says verified, the owner of the public key indeed has shown beyond doubt that it has control over the domain or account.

+ +

Your turn

+ +

If you'd like to add decentralized OpenPGP identity proofs to your key, go to the guides and find the right one for your platform of choice. You may find the process to be remarkably easy.

+ +

If your platform is not in the list of guides, it's not supported yet. See the contributing guide for more information on how to get that platform supported.

diff --git a/pages/guides/proofs.title.html b/pages/guides/proofs.title.html new file mode 100644 index 0000000..3a62919 --- /dev/null +++ b/pages/guides/proofs.title.html @@ -0,0 +1 @@ +Verifying identity proofs diff --git a/pages/guides/selfhosting-keyoxide.content.html b/pages/guides/selfhosting-keyoxide.content.html new file mode 100644 index 0000000..66b9e8c --- /dev/null +++ b/pages/guides/selfhosting-keyoxide.content.html @@ -0,0 +1,5 @@ +

Though it's not a fully supported use case yet, anyone can take the source code and put it on their own server. The idea is that Keyoxide.org is not special in itself. After all, all the heavy lifting is done by the browser. So the role of any individual Keyoxide server is to get the tool in the hands of the end user.

+ +

The few supporting roles the server has can easily be performed by any other (PHP) server.

+ +

So if you like the project but perhaps are mistrusting of servers of others, especially when it comes to keypairs, here's the source code and put it on your own server! Thanks for using the project :)

diff --git a/pages/guides/selfhosting-keyoxide.title.html b/pages/guides/selfhosting-keyoxide.title.html new file mode 100644 index 0000000..bccd40d --- /dev/null +++ b/pages/guides/selfhosting-keyoxide.title.html @@ -0,0 +1 @@ +Selfhosting Keyoxide