Mirrors/keyoxide-web
1
0
Fork 1
mirror of https://codeberg.org/keyoxide/keyoxide-web.git synced 2024-12-22 14:59:29 -07:00
Code Issues Projects Releases Packages Wiki Activity

Rewrite guides in markdown

Browse source
This commit is contained in:
Yarmo Mackenbach 2020-08-08 01:04:28 +02:00
parent 27da0ee34f
commit cb077596f0
72 changed files with 871 additions and 2085 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
guides/contributing.md Normal file
View file

@ -0,0 +1,20 @@
# Contributing to Keyoxide
Keyoxide is more than this website. It's a project that aims to make cryptography more accessible to everyone. Keyoxide is part of a larger community of people working hard to develop tools that add privacy and security to our digital online lives. Remember: privacy is not a luxury.
## As a developer
As Keyoxide is an open-source project licensed under the permissive [MIT License](https://codeberg.org/keyoxide/web/src/branch/main/LICENSE), everyone is welcome and encouraged to contribute. This can be done in various forms:
* [Open an issue](https://codeberg.org/keyoxide/web/issues) to request changes, new features or simply get help.
* [Open a PR](https://codeberg.org/keyoxide/web/pulls) to directly integrate your own changes and new features.
## Not a developer?
Not a developer? Not a problem? You could:
* Learn more about the importance of online privacy and security and advocate for it (much needed!)
* Write guides for others and help each other out.
* Start using decentralized OpenPGP identity keys.
* Spread the word about Keyoxide and OpenPGP keys in general.
* Talk to persons you know using siloed or closed-source alternatives to Keyoxide.

41
guides/devto.md Normal file
View file

@ -0,0 +1,41 @@
# Adding a dev.to proof
Let's add a decentralized dev.to proof to your OpenPGP keys.
[[toc]]
## Post a dev.to proof message
Log in to [dev.to](https://dev.to) and create a new post with the following text (make sure to replace FINGERPRINT and USERNAME):
```
This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this dev.to account](https://dev.to/USERNAME). For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
After posting, copy the link to the post.
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to update with the link to the post copied above):
`proof@metacode.biz=https://dev.to/USERNAME/POST_TITLE`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified dev.to account.

41
guides/discourse.md Normal file
View file

@ -0,0 +1,41 @@
# Adding a Discourse proof
Let's add a decentralized Discourse proof to your OpenPGP keys.
[[toc]]
## Update the Discourse account
Log in to the discourse instance website and add the following text to your **About me** (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this Discourse account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
After posting, copy the link to your profile page (it should end with your **/u/USERNAME**).
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to replace PROFILE_URL with the link to the profile copied above):
`proof@metacode.biz=PROFILE_URL`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Discourse account.

35
guides/dns.md Normal file
View file

@ -0,0 +1,35 @@
# Adding a DNS proof
Let's add a decentralized DNS proof to your OpenPGP keys.
[[toc]]
## Update DNS records for your website
Add the following TXT record to the DNS records of the (sub)domain you want to prove control over (make sure to replace FINGERPRINT):
`openpgp4fpr:FINGERPRINT`
No specific TTL value is required.
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to replace DOMAIN, don't include https://):
`proof@metacode.biz=dns:DOMAIN?type=TXT`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`

27
guides/encrypt.md Normal file
View file

@ -0,0 +1,27 @@
# Encrypting a message
Let's see how to encrypt a message.
[[toc]]
## Obtain a public key for encryption
The idea is that you use someone's public key to encrypt a message. From then on, the message cannot be decrypted and read by anyone but the person possessing the private keys associated with the public key (they'll have the same fingerprint).
If you already have a public key (or its fingerprint) you would like to use to encrypt a message, great! If not, you could use the following fingerprint:
`9f0048ac0b23301e1f77e994909f6bd6f80f485d`
## Encrypt a message
Open the [keyoxide.org/encrypt](/encrypt) page and paste the fingerprint in the **Email / key id / fingerprint** field.
Write a message in the **Message** field. Scroll down and press the **ENCRYPT MESSAGE** button.
You have successfully encrypted the message! The encrypted message in the **Message** field can safely be sent via unsecured communication channels knowing that only the person possessing the private key associated with that fingerprint can read it.
## Going further
You could try using different mechanisms of fetching keys, such as **web key directory** or copy-pasting a plaintext public key.
If you'd like to receive PGP encrypted messages, you must first learn the fundamentals of PGP and how to generate and handle your own keypair.

41
guides/feature-comparison-keybase.md Normal file
View file

@ -0,0 +1,41 @@
# Feature comparison with Keybase
Let's see how Keyoxide's features compare to those of Keybase.
[[toc]]
## Encrypt and verify
Both Keyoxide and Keybase allow easy encryption of data and verification of signatures. While Keybase can only perform these actions for their users who uploaded at least a public key to their servers, Keyoxide can do this for any key on the internet, whether it's available through web key directory, dedicated key servers or simply copy-pasting a plaintext key.
## Decrypt and sign
Keyoxide cannot decrypt data or sign messages.
Keybase can do both of those things but this should NOT be considered a feature. It requires one to upload their private key to closed-source servers which is an act in stark contradiction with all safety precautions any owner of a private key should aim to heed.
## Online identity proofs
Both Keyoxide and Keybase allow the user to generate proofs of online identity on various platforms. The difference lies in the method of generation and the implications this has on security.
Keybase generates a signed message to be posted by the to-be-verified account. Since this involves a signature, any signing key can be used. If a signing key gets misappropriated, it becomes easy for a bad actor to create fake identity proofs.
Keyoxide uses decentralized OpenPGP proofs in which the identity proofs are stored as notations within the keys themselves. This is only possible when you have access to keys with "certification" capability. As these are the most valuable of keys, they should also be handled more securely than signing keys and are therefore less prone to forgery of identity proofs.
## Social network and additional services
Keybase provides an additional social network, chat functionality, encrypted drive, encrypted git, XLM crypto wallet and much more.
Keyoxide has none of that. Just keys and proofs.
## Openness
Keyoxide is fully open-source. It consists mainly of a client component which is the browser. The supporting server functions are open-source as well.
Keybase has open-source clients but closed-source servers.
## Data safety
Keyoxide lets the user's devices do almost all of the heavy lifting, meaning no data is ever sent to a server to perform any of the actions. Only exceptions to this rule are a couple of "proxy scripts" for proofs that cannot be verified by a browser. These proxy scripts are open-source as well and inspectable by all.
Keybase servers are closed-source. One does not know what happens inside that black box.

43
guides/github.md Normal file
View file

@ -0,0 +1,43 @@
# Adding a Github proof
Let's add a decentralized Github proof to your OpenPGP keys.
[[toc]]
## Post a Github proof message
Log in to [github.com](https://github.com) and click on **New gist**.
Name the file **openpgp.md** and copy the following content into it (make sure to replace FINGERPRINT and USERNAME):
```
This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this Github account](https://github.com/USERNAME). For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
After creating a public gist, copy the link to the gist.
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to update with the link to the post copied above):
`proof@metacode.biz=https://gist.github.com/USERNAME/12345678912345678912345678912345`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Github account.

41
guides/hackernews.md Normal file
View file

@ -0,0 +1,41 @@
# Adding a Hackernews proof
Let's add a decentralized Hackernews proof to your OpenPGP keys.
[[toc]]
## Update the Hackernews account
Log in to [Hackernews](https://news.ycombinator.com) and click on your **username**.
Add the following lines to your **about** (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this Hackernews account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to replace USERNAME):
`proof@metacode.biz=https://news.ycombinator.com/user?id=USERNAME`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Hackernews account.

39
guides/lobsters.md Normal file
View file

@ -0,0 +1,39 @@
# Adding a Lobste.rs proof
Let's add a decentralized Lobste.rs proof to your OpenPGP keys.
[[toc]]
## Update the Lobste.rs account
Log in to [Lobste.rs](https://lobste.rs) and append the following text to the **About** section (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this Lobste.rs account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to replace USERNAME):
`proof@metacode.biz=https://lobste.rs/u/USERNAME`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Lobste.rs account.

45
guides/managing-proofs-deleting.md Normal file
View file

@ -0,0 +1,45 @@
# Deleting Proofs using GnuPG
Over time, you may need to delete proofs. Changing proofs can be achieved by deleting proofs and adding new ones.
## Delete all proofs
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Launch the notation prompt:
`notation`
Enter the 'none' notation to delete all notations:
`none`
Save the changes:
`save`
## Delete one of your proofs
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Launch the notation prompt:
`notation`
Enter the **-** (minus) symbol followed by the proof you want to delete. Make sure you type the proof exactly like it is in your key.
`-proof@metacode.biz=dns:yourdomain.org?type=TXT`
_To make it easier to enter the right proof, you could first [list all proofs](managing-proofs-listing) and simply copy the proof (including "proof@metacode.biz=") you want to delete._
Save the changes:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`

29
guides/managing-proofs-listing.md Normal file
View file

@ -0,0 +1,29 @@
# Listing Proofs using GnuPG
Let's list the identity proofs stored in our OpenPGP keys.
## Listing notations in GnuPG
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
List detailed preferences:
`showpref`
You should now see your key details, uid, and proofs assigned to your keys:
```
[ultimate] (1). Your Name <your@email>
Cipher: AES256, AES192, AES, 3DES
Digest: SHA512, SHA384, SHA256, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Notations: proof@metacode.biz=https://gist.github.com/youruser/somehash
proof@metacode.biz=dns:yourdomain.org?type=TXT</your@email>
```
Exit gpg:
`quit`

35
guides/mastodon.md Normal file
View file

@ -0,0 +1,35 @@
# Adding a Mastodon proof
Let's add a decentralized Mastodon proof to your OpenPGP keys.
[[toc]]
## Update the Mastodon account
Log in to your Mastodon instance and click on **Edit profile**.
Add a new item under **Profile metadata** with the label **OpenPGP** and your PGP fingerprint as the content.
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to update the link):
`proof@metacode.biz=https://INSTANCE.ORG/@USERNAME`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Mastodon account.

25
guides/migrating-from-keybase.md Normal file
View file

@ -0,0 +1,25 @@
# Migrating from Keybase
Let's see how easy it is to get a Keyoxide profile when you already have a Keybase account.
[[toc]]
## Claim your Keyoxide profile
Go to the [profile URL generator](/util/profile-url), set Keybase as Source and follow the Keybase specific instructions. Has a profile URL been generated? Congratulations, you now have your very own Keyoxide profile!
## Actually migrating to Keyoxide
Unfortunately, you get very little control when using your Keybase key directly. You will need to generate your own PGP keypair (use guides like [this one](https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/) for help) to unlock the full potential of [distributed identity proofs](/guides/proofs).
Have you generated a keypair and made the public key accessible through [web key directory (WKD)](/guides/web-key-directory) or uploaded it to [keys.openpgp.org](https://keys.openpgp.org/)? Use the [profile URL generator](/util/profile-url) to get your own profile URL and [start adding identity proofs](/guides).
## Keyoxide as a partial replacement for Keybase
It's important to moderate expectations and state that [Keyoxide](/) only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.
Message decryption and signing are **not** supported features: they would require you to upload your secret key to a website which is a big **no-no**.
Encrypted chat and cloud storage are **not** supported features: there are plenty of dedicated alternative services.
If you need any of these Keybase-specific supports, [Keyoxide](/) may not be a full Keybase replacement for you but you could still generate a profile and take advantage of **distributed identity proofs**.

35
guides/openpgp-proofs.md Normal file
View file

@ -0,0 +1,35 @@
# How OpenPGP identity proofs work
[[toc]]
## Decentralized OpenPGP identity proofs
Decentralized OpenPGP identity proofs are the brainchild of Wiktor who wrote the original guide on [his website](https://metacode.biz/openpgp/proofs) (a suggested read to get first-hand information).
Unlike proofs provided by for example [Keybase](https://keybase.io), OpenPGP proofs are stored inside the PGP keys themselves instead of being mere signatures. Since this operation requires keys with "certify" capabilities and not simply "sign" capabilities, these OpenPGP proofs could be considered more secure.
## Example
* Alice and Bob have been talking for years on service A. Alice already has an account on service B. Bob wants to move to service B as well. A simple decentralized proof confirms that the person who is known as Alice on service A is also known as Alice on service B. Bob can safely move to service B and talk to Alice without having to meet in person to confirm their accounts.
* Alice has received a friend request from Bob29 on service C. Is this the same Bob from service A or not? A simple decentralized proof confirms that the person who is known as Bob on platform A is also known as Bob29 on service C. Turns out 28 Bobs were already using service C.
* Bob has been invited by an account named Alyce to create an account on an unknown server. Is this a legit request? A simple decentralized proof tells Bob that Alice does not have such an account. Bob knows something is up and does not click the link possibly sent by an imposter.
## What an OpenPGP proof looks like
Every OpenPGP identity proof is stored in the PGP key as a notation that looks like this:
`proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891`
This particular proof is for a Twitter account (read more in the [Twitter guide](/guides/twitter)). Let's analyse the notation:
* **proof** means the current notation is for an identity proof.
* **@metacode.biz** is the domain of the person who came up with OpenPGP proofs and serves as a namespace for the notation. The domain is included and used for all proofs to comply with the [OpenPGP Message Format standard (RFC 4880)](https://tools.ietf.org/html/rfc4880#section-5.2.3.16).
* **https://twitter.com/USERNAME/status/1234567891234567891** is the value of the notation. It is a link to the piece of online content that contains a pre-defined message which must always include the fingerprint of the PGP key that will hold the proof.
The proof should always link to a document that can be parsed as JSON to make the verification easy and feasible by the browser. Sometimes however, due to CORS restrictions or API requirements (as is the case for Twitter), no such link is provided by the platform. In these rare exceptional cases, the verification process is delegated to the Keyoxide server which will communicate directly with the platform's servers to get the content of the post.
## Your turn
If you'd like to add decentralized OpenPGP identity proofs to your key, go to the [guides](/guides) and find the right one for your platform of choice. You may find the process to be remarkably easy.
If your platform is not in the list of [guides](/guides), it's not supported yet. See the [contributing guide](/guides/contributing) for more information on how to get that platform supported.

41
guides/pixelfed.md Normal file
View file

@ -0,0 +1,41 @@
# Adding a Pixelfed proof
Let's add a decentralized Pixelfed proof to your OpenPGP keys.
[[toc]]
## Update the Pixelfed account
Log in to your Pixelfed instance and add the following lines to your **Bio** (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this Pixelfed account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to update the link):
`proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME`
Please note that the **/users/** part of the URL is mandatory for the proof to work.
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Fediverse account (Pixelfed is part of the [Fediverse](#https://en.wikipedia.org/wiki/Fediverse)).

41
guides/pleroma.md Normal file
View file

@ -0,0 +1,41 @@
# Adding a Pleroma proof
Let's add a decentralized Pleroma proof to your OpenPGP keys.
[[toc]]
## Update the Pleroma account
Log in to your Pleroma instance and add the following lines to your **Bio** (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this Pleroma account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to update the link):
`proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME`
Please note that the **/users/** part of the URL is mandatory for the proof to work.
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Fediverse account (Pleroma is part of the [Fediverse](#https://en.wikipedia.org/wiki/Fediverse)).

29
guides/proofs.md Normal file
View file

@ -0,0 +1,29 @@
# Verifying identity proofs
Let's see how to verify identity proofs.
[[toc]]
## Obtain a public key for verification
The idea is that anyone can add identity proofs of various platforms in their keys. Since this information is kept in the public key, you could take anyone's public key and check whether they indeed have control over the accounts they claim to.
If you already have a public key (or its fingerprint) with OpenPGP identity proofs you would like to use to verify, great! If not, you could use the following fingerprint:
`9f0048ac0b23301e1f77e994909f6bd6f80f485d`
## Verify proofs
Open the [keyoxide.org/proofs](/proofs) page and paste the fingerprint in the **Email / key id / fingerprint** field. Scroll down and press the **VERIFY PROOFS** button.
You now see a list of domains and/or accounts on platforms for which the owner of the public key claims to have an control over.
If the last link on a line says **proof**, the proof could not be verified for any number of reasons but Keyoxide still allows to check the supposed proof and decide for yourself whether you trust the claim. If the
If the last link on a line says **verified**, the owner of the public key indeed has shown beyond doubt that it has control over the domain or account.
## Your turn
If you'd like to add decentralized OpenPGP identity proofs to your key, go to the [guides](/guides) and find the right one for your platform of choice. You may find the process to be remarkably easy.
If your platform is not in the list of [guides](/guides), it's not supported yet. See the [contributing guide](/guides/contributing) for more information on how to get that platform supported.

41
guides/reddit.md Normal file
View file

@ -0,0 +1,41 @@
# Adding a Reddit proof
Let's add a decentralized Reddit proof to your OpenPGP keys.
[[toc]]
## Post a Reddit proof message
Log in to [www.reddit.com](https://www.reddit.com) and create a new post with the following text (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this Reddit account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
After posting, copy the link to the post.
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to update with the link to the post copied above):
`proof@metacode.biz=https://www.reddit.com/user/USERNAME/comments/123123/TITLE/`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Reddit account.

7
guides/self-hosting-keyoxide.md Normal file
View file

@ -0,0 +1,7 @@
# Self-hosting Keyoxide
Though it's not a fully supported use case yet, anyone can take the [source code](https://codeberg.org/keyoxide/web) and put it on their own server. The idea is that [Keyoxide.org](https://keyoxide.org) is not special in itself. After all, all the heavy lifting is done by the browser. So the role of any individual Keyoxide server is to get the tool in the hands of the end user.
The few supporting roles the server has can easily be performed by any other (PHP) server.
So if you like the project but perhaps are mistrusting of servers of others, especially when it comes to keypairs, here's the [source code](https://codeberg.org/keyoxide/web) and put it on your own server. Thanks for using the project!

13
guides/service-provider.md Normal file
View file

@ -0,0 +1,13 @@
# Are you a service provider?
If you have:
* a website that allows users to create accounts
* a messaging platform
* any other type of service that may require users to prove their online identity
Then you may be interested in supporting decentralized identity proofs as they allow your users to securely prove their identity across services. Take a look at this [example](guides/service-provider) to find out how two persons can gain more confidence in knowing they are talking to and interacting with the right person in an online world where impersonating is all too easy.
The internet could be a slightly safer place if your service allowed your users to prove their identity. All the service needs to do is make a JSON file available with basic details about the user and set the correct CORS headers.
The [documentation](https://github.com/wiktor-k/openpgp-proofs#for-service-providers) on what is precisely required is provided by the original creator of decentralized OpenPGP identity proofs.

41
guides/twitter.md Normal file
View file

@ -0,0 +1,41 @@
# Adding a Twitter proof
Let's add a decentralized Twitter proof to your OpenPGP keys.
[[toc]]
## Post a Twitter proof message
Log in to [twitter.com](https://twitter.com) and compose a new tweet with the following text (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this Twitter account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
After posting, copy the link to the tweet.
## Update the PGP key
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to update with the link to the tweet copied above):
`proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891`
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a verified Twitter account.

63
guides/verify.md Normal file
View file

@ -0,0 +1,63 @@
# Verifying a signature
Let's see how to verify an OpenPGP signature.
[[toc]]
## Obtain a signature
If you already have a signature you would like to verify, great! If not, let's use the following signature for the guide:
```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I like pineapple.
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mVUPHHlhcm1vQHlh
cm1vLmV1AAoJEDc2f0r0CHrRQXIP/08uza9zOtmZXv5K+uPGVzDKwkgPgZJEezX7
6iQ358f1pjSRvYfQ5aB13k2epUHoqCKArMYu1zPqxhvLvvAvp8uOHABnr9NGL3El
u7UUgaeUNHkr0gxCKEq3p81abrrbbWveP8OBP4RyxmaFx13Xcj7mfDluiBHmjVvv
WU09EdH9VPlJ7WfZ+2G2ZZDHuE5XiaeP7ocugTxXXLkp33zwpDX0+ZuCIXM6fQGe
OccSffglFPdNBnfasuuxDWxTQPsEbWGOPJV+CAPmBDeApX+TBF9bovO3hw4Uozk2
VT7EAy8Hb0SOrUb3UNGxzoKv++5676IxyB4JXX0Tr9O4ZxhO8o9pEEHwirtn/J1+
MWven4gVlWM/6bMeUqx6ydyNc2nqF5059yfRmwGMlp09x82G4x1bcf6aDZ+5njDG
fS5T2OpXRIkZHJx8BhmZjsxiDR0KV44zwHpt06+96ef3EDWB0BcP6M+a5Rtc33zf
irRmQd2M6RLyXCYtdGIiiAFRuomw802U4F0P4LwVrZdbGA6ObqBv1k8BUFCMbMz8
Ab4hF7kO4z0Vh3JaKzcHey0pOzdNCPpAHZ51sAoAnFDM4PdMBgQxxVweCMu4KYMZ
FN8sNn42oY/b7gDmwCelVhgD+rvUn/a8+B7CDmCp+wIquyrjrTt00voATcb+ZPMJ
pTXJ/NcM
=rqTX
-----END PGP SIGNATURE-----
```
Copy the above signature.
## Verify the signature
Open the [keyoxide.org/verify](/verify) page and paste the signature in the corresponding field. Scroll down and press the **VERIFY SIGNATURE** button.
Keyoxide lets you know the signature was verified and signed by a certain person.
## Verify the signature against a specific public key
Sometimes, you want to know if a specific person or public key was used to create a signature. In this case, let's figure out if the message was signed by Yarmo's public key or his friend Wiktor's public key.
Copy the following fingerprint:
`653909A2F0E37C106F5FAF546C8857E0D8E8F074`
Paste it in the **Email / key id / fingerprint** field under **Public Key (3: HKP server)** and press the big button again. It could not be verified. Guess it wasn't Wiktor who signed that message.
Now, copy the following fingerprint:
`9f0048ac0b23301e1f77e994909f6bd6f80f485d`
Paste it in the same field and press the big button again. It did verify! It was Yarmo all along.
## Going further
You could try using different mechanisms of fetching keys, such as **web key directory** or copy-pasting a plaintext public key.
If you'd like to sign messages using PGP, you must first learn the fundamentals of PGP and how to generate and handle your own keypair.

43
guides/web-key-directory.md Normal file
View file

@ -0,0 +1,43 @@
# Uploading keys using web key directory
[[toc]]
## Web key directory
[Web key directory](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: **username@domain.org**.
The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, [openpgp.org](https://keys.openpgp.org/about/usage#wkd-as-a-service) have made a WKD-as-a-service. Read more at the end of the guide.
It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.
## The Direct setup
To make your keys available via WKD using the Direct setup, you'll need two paths on your server:
**https://domain.org/.well-known/openpgpkey/policy**: this is an empty file
**https://domain.org/.well-known/openpgpkey/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored)
The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a [small utility to do this for you](/util/wkd).
So if you wish to make your key available as **jimothy@dm.com**, according to the [small utility](/util/wkd), the URL would become:
`https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m`
## The Advanced setup
While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:
**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy**: this is an empty file
**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored)
Indeed, quite similar to the Direct setup, except for the **openpgpkey** subdomain and the additional **domain.org** in the path of the public key.
The public key for **jimothy@dm.com** would be available at:
`https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m`
## WKD-as-a-service
In case hosting is problem, Openpgp.org has a handy [WKD-as-a-service](https://keys.openpgp.org/about/usage#wkd-as-a-service).

55
guides/xmpp.md Normal file
View file

@ -0,0 +1,55 @@
# Adding a XMPP proof
Let's add a decentralized XMPP proof to your OpenPGP keys.
[[toc]]
### Add a message to your XMPP vCard
Using a XMPP client that supports editing the vCard (such as [Dino](https://dino.im/) and [Gajim](https://gajim.org/)), append the following message to the **About** section (make sure to replace FINGERPRINT):
```
This is an OpenPGP proof that connects my OpenPGP key to this XMPP account. For details check out https://keyoxide.org/guides/openpgp-proofs
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
```
### Update the PGP key (basic edition)
First, edit the key (make sure to replace FINGERPRINT):
`gpg --edit-key FINGERPRINT`
Add a new notation:
`notation`
Enter the notation (make sure to replace XMPP-ID):
`proof@metacode.biz=xmpp:XMPP-ID`
The XMPP-ID looks something like an email address: **user@domain.org**.
Save the key:
`save`
Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT):
`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT`
And you're done! Reload your profile page, it should now show a XMPP account.
### Update the PGP key (OMEMO edition)
XMPP communication can be end-to-end encrypted with [OMEMO](https://conversations.im/omemo/). Verifying OMEMO fingerprints is essential to trust your communication and keep it safe from Man-in-the-Middle attacks.
**Keyoxide** makes the fingerprint verification process easy for all. Add a special identity proof that not only contains your XMPP-ID but also the fingerprints of all your OMEMO keys.
If your XMPP identity proof is verified, a QR code is shown. Anyone can scan this QR code using XMPP apps like [Conversations](https://conversations.im/) (free on [F-Droid](https://f-droid.org/en/packages/eu.siacs.conversations/)) to not only add you as a contact, but also verify your OMEMO keys with the highest level of trust.
Making this identity proof yourself can be a tad difficult when using clients like Gajim, but luckily for us, [Conversations](https://conversations.im/) can directly generate the proof by going to **Account details > Share > Share as XMPP URI**. The resulting URI should look something like:
`xmpp:user@domain.org?omemo-sid-123456789=A1B2C3D4E5F6G7H8I9...`
To take advantage of the easy and secure XMPP identity proof including OMEMO fingerprints, follow the **basic edition** guide above but replace XMPP-ID with the URI obtained through the **Conversations** app.

51
views/guides/contributing.content.php
View file

@ -1,51 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Keyoxide is more than this website. It's a project that aims to make cryptography more accessible to everyone. Keyoxide is part of a larger community of people working hard to develop tools that add privacy and security to our digital online lives. Remember: privacy is not a luxury.</p>
<h3>As a developer</h3>
<p>As Keyoxide is an open-source project licensed under the permissive <a href="https://codeberg.org/keyoxide/web/src/branch/main/LICENSE">MIT License</a>, everyone is welcome and encouraged to contribute. This can be done in various forms:</p>
<ul>
<li><a href="https://codeberg.org/keyoxide/web/issues">Open an issue</a> to request changes, new features or simply get help.</li>
<li><a href="https://codeberg.org/keyoxide/web/pulls">Open a PR</a> to directly integrate your own changes and new features.</li>
</ul>
<h3>Not a developer?</h3>
<p>Not a developer? Not a problem? You could:</p>
<ul>
<li>Learn more about the importance of online privacy and security and advocate for it (much needed!)</li>
<li>Write guides for others and help each other out.</li>
<li>Start using decentralized OpenPGP identity keys.</li>
<li>Spread the word about Keyoxide and OpenPGP keys in general.</li>
<li>Talk to persons you know using siloed or closed-source alternatives to Keyoxide.</li>
</ul>

30
views/guides/contributing.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Contributing to Keyoxide

58
views/guides/devto.content.php
View file

@ -1,58 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized dev.to proof to your OpenPGP keys.</p>
<h3>Post a dev.to proof message</h3>
<p>Log in to <a href="https://dev.to">dev.to</a> and create a new post with the following text (make sure to replace FINGERPRINT and USERNAME):</p>
<code>This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this dev.to account](https://dev.to/USERNAME).
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<p>After posting, copy the link to the post.</p>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to update with the link to the post copied above):</p>
<code>proof@metacode.biz=https://dev.to/USERNAME/POST_TITLE</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified dev.to account.</p>

30
views/guides/devto.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a dev.to proof

58
views/guides/discourse.content.php
View file

@ -1,58 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Discourse proof to your OpenPGP keys.</p>
<h3>Update the Discourse account</h3>
<p>Log in to the discourse instance website and add the following text to your <strong>About me</strong> (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this Discourse account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<p>After posting, copy the link to your profile page (it should end with your <strong>/u/USERNAME</strong>).</p>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to replace PROFILE_URL with the link to the profile copied above):</p>
<code>proof@metacode.biz=PROFILE_URL</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Discourse account.</p>

30
views/guides/discourse.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Discourse proof

56
views/guides/dns.content.php
View file

@ -1,56 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized DNS proof to your OpenPGP keys.</p>
<h3>Update DNS records for your website</h3>
<p>Add the following TXT record to the DNS records of the (sub)domain you want to prove control over (make sure to replace FINGERPRINT):</p>
<code>openpgp4fpr:FINGERPRINT</code>
<p>No specific TTL value is required.</p>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to replace DOMAIN, don't include https://):</p>
<code>proof@metacode.biz=dns:DOMAIN?type=TXT</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified domain.</p>

30
views/guides/dns.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a DNS proof

49
views/guides/encrypt.content.php
View file

@ -1,49 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's see how to encrypt a message.</p>
<h3>Obtain a public key for encryption</h3>
<p>The idea is that you use someone's public key to encrypt a message. From then on, the message cannot be decrypted and read by anyone but the person possessing the private keys associated with the public key (they'll have the same fingerprint).</p>
<p>If you already have a public key (or its fingerprint) you would like to use to encrypt a message, great! If not, you could use the following fingerprint:</p>
<code>9f0048ac0b23301e1f77e994909f6bd6f80f485d</code>
<h3>Encrypt a message</h3>
<p>Open the <a href="/encrypt" target="_blank">keyoxide.org/encrypt</a> page and paste the fingerprint in the <strong>Email / key id / fingerprint</strong> field.</p>
<p>Write a message in the <strong>Message</strong> field. Scroll down and press the <strong>ENCRYPT MESSAGE</strong> button.</p>
<p>You have successfully encrypted the message! The encrypted message in the <strong>Message</strong> field can safely be sent via unsecured communication channels knowing that only the person possessing the private key associated with that fingerprint can read it.</p>
<h3>Going further</h3>
<p>You could try using different mechanisms of fetching keys, such as <strong>web key directory</strong> or copy-pasting a plaintext public key.</p>
<p>If you'd like to receive PGP encrypted messages, you must first learn the fundamentals of PGP and how to generate and handle your own keypair.</p>

30
views/guides/encrypt.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Encrypting a message

62
views/guides/feature-comparison-keybase.content.php
View file

@ -1,62 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's see how Keyoxide's features compare to those of Keybase.</p>
<h3>Encrypt and verify</h3>
<p>Both Keyoxide and Keybase allow easy encryption of data and verification of signatures. While Keybase can only perform these actions for their users who uploaded at least a public key to their servers, Keyoxide can do this for any key on the internet, whether it's available through web key directory, dedicated key servers or simply copy-pasting a plaintext key.</p>
<h3>Decrypt and sign</h3>
<p>Keyoxide cannot decrypt data or sign messages.</p>
<p>Keybase can do both of those things but this should NOT be considered a feature. It requires one to upload their private key to closed-source servers which is an act in stark contradiction with all safety precautions any owner of a private key should aim to heed.</p>
<h3>Online identity proofs</h3>
<p>Both Keyoxide and Keybase allow the user to generate proofs of online identity on various platforms. The difference lies in the method of generation and the implications this has on security.</p>
<p>Keybase generates a signed message to be posted by the to-be-verified account. Since this involves a signature, any signing key can be used. If a signing key gets misappropriated, it becomes easy for a bad actor to create fake identity proofs.</p>
<p>Keyoxide uses decentralized OpenPGP proofs in which the identity proofs are stored as notations within the keys themselves. This is only possible when you have access to keys with "certification" capability. As these are the most valuable of keys, they should also be handled more securely than signing keys and are therefore less prone to forgery of identity proofs.</p>
<h3>Social network and additional services</h3>
<p>Keybase provides an additional social network, chat functionality, encrypted drive, encrypted git, XLM crypto wallet and much more.</p>
<p>Keyoxide has none of that. Just keys and proofs.</p>
<h3>Openness</h3>
<p>Keyoxide is fully open-source. It consists mainly of a client component which is the browser. The supporting server functions are open-source as well.</p>
<p>Keybase has open-source clients but closed-source servers.</p>
<h3>Data safety</h3>
<p>Keyoxide lets the user's devices do almost all of the heavy lifting, meaning no data is ever sent to a server to perform any of the actions. Only exceptions to this rule are a couple of "proxy scripts" for proofs that cannot be verified by a browser. These proxy scripts are open-source as well and inspectable by all.</p>
<p>Keybase servers are closed-source. One does not know what happens inside that black box.</p>

30
views/guides/feature-comparison-keybase.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Feature comparison with Keybase

60
views/guides/github.content.php
View file

@ -1,60 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Github proof to your OpenPGP keys.</p>
<h3>Post a Github proof message</h3>
<p>Log in to <a href="https://github.com">github.com</a> and click on <strong>New gist</strong>.</p>
<p>Name the file <strong>openpgp.md</strong> and copy the following content into it (make sure to replace FINGERPRINT and USERNAME):</p>
<code>This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this Github account](https://github.com/USERNAME).
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<p>After creating a public gist, copy the link to the gist.</p>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to update with the link to the post copied above):</p>
<code>proof@metacode.biz=https://gist.github.com/USERNAME/12345678912345678912345678912345</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Github account.</p>

30
views/guides/github.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Github proof

58
views/guides/hackernews.content.php
View file

@ -1,58 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Hackernews proof to your OpenPGP keys.</p>
<h3>Update the Hackernews account</h3>
<p>Log in to <a href="https://news.ycombinator.com">Hackernews</a> and click on your <strong>username</strong>.</p>
<p>Add the following lines to your <strong>about</strong> (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this Hackernews account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to replace USERNAME):</p>
<code>proof@metacode.biz=https://news.ycombinator.com/user?id=USERNAME</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Hackernews account.</p>

30
views/guides/hackernews.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Hackernews proof

56
views/guides/lobsters.content.php
View file

@ -1,56 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Lobste.rs proof to your OpenPGP keys.</p>
<h3>Update the Lobste.rs account</h3>
<p>Log in to <a href="https://lobste.rs">Lobste.rs</a> and append the following text to the <strong>About</strong> section (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this Lobste.rs account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to replace USERNAME):</p>
<code>proof@metacode.biz=https://lobste.rs/u/USERNAME</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Lobste.rs account.</p>

30
views/guides/lobsters.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Lobste.rs proof

63
views/guides/managing-proofs-deleting.content.php
View file

@ -1,63 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Over time, you may need to delete proofs. Changing proofs can be achieved by deleting proofs and adding new ones.</p>
<h3>Delete all proofs</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Launch the notation prompt:</p>
<code>notation</code>
<p>Enter the 'none' notation to delete all notations:</p>
<code>none</code>
<p>Save the changes:</p>
<code>save</code>
<h3>Delete one of your proofs</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Launch the notation prompt:</p>
<code>notation</code>
<p>Enter the <b>-</b> (minus) symbol followed by the proof you want to delete. Make sure you type the proof exactly like it is in your key.</p>
<code>-proof@metacode.biz=dns:yourdomain.org?type=TXT</code>
<p><i>To make it easier to enter the right proof, you could first <a href="managing-proofs-listing">list all proofs</a> and simply copy the proof (including "proof@metacode.biz=") you want to delete.</i></p>
<p>Save the changes:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>

30
views/guides/managing-proofs-deleting.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Deleting Proofs using GnuPG

52
views/guides/managing-proofs-listing.content.php
View file

@ -1,52 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's list the identity proofs stored in our OpenPGP keys.</p>
<h3>Listing notations in GnuPG</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>List detailed preferences:</p>
<code>showpref</code>
<p>You should now see your key details, uid, and proofs assigned to your keys:</p>
<code>
[ultimate] (1). Your Name <your@email>
Cipher: AES256, AES192, AES, 3DES
Digest: SHA512, SHA384, SHA256, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Notations: proof@metacode.biz=https://gist.github.com/youruser/somehash
proof@metacode.biz=dns:yourdomain.org?type=TXT
</code>
<p>Exit gpg:</p>
<code>quit</code>

30
views/guides/managing-proofs-listing.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Listing Proofs using GnuPG

54
views/guides/mastodon.content.php
View file

@ -1,54 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Mastodon proof to your OpenPGP keys.</p>
<h3>Update the Mastodon account</h3>
<p>Log in to your Mastodon instance and click on <strong>Edit profile</strong>.</p>
<p>Add a new item under <strong>Profile metadata</strong> with the label <strong>OpenPGP</strong> and your PGP fingerprint as the content.</p>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to update the link):</p>
<code>proof@metacode.biz=https://INSTANCE.ORG/@USERNAME</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Mastodon account.</p>

30
views/guides/mastodon.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Mastodon proof

50
views/guides/migrating-from-keybase.content.php
View file

@ -1,50 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's see how easy it is to get a Keyoxide profile when you already have a Keybase account.</p>
<h3>Claim your Keyoxide profile</h3>
<p>Go to the <a href="/util/profile-url">profile URL generator</a>, set Keybase as Source and follow the Keybase specific instructions. Has a profile URL been generated? Congratulations, you now have your very own Keyoxide profile!</p>
<h3>Actually migrating to Keyoxide</h3>
<p>Unfortunately, you get very little control when using your Keybase key directly. You will need to generate your own PGP keypair (use guides like <a href="https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/">this one</a> for help) to unlock the full potential of <a href="/guides/proofs">distributed identity proofs</a>.</p>
<p>Have you generated a keypair and made the public key accessible through <a href="/guides/web-key-directory">web key directory (WKD)</a> or uploaded it to <a href="https://keys.openpgp.org/">keys.openpgp.org</a>? Use the <a href="/util/profile-url">profile URL generator</a> to get your own profile URL and <a href="/guides">start adding identity proofs</a>.</p>
<h3>Keyoxide as a partial replacement for Keybase</h3>
<p>It's important to moderate expectations and state that <a href="/">Keyoxide</a> only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.</p>
<p>Message decryption and signing are <strong>not</strong> supported features: they would require you to upload your secret key to a website which is a big <strong>no-no</strong>.</p>
<p>Encrypted chat and cloud storage are <strong>not</strong> supported features: there are plenty of dedicated alternative services.</p>
<p>If you need any of these Keybase-specific supports, <a href="/">Keyoxide</a> may not be a full Keybase replacement for you but you could still generate a profile and take advantage of <strong>distributed identity proofs</strong>.</p>

30
views/guides/migrating-from-keybase.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Migrating from Keybase

63
views/guides/openpgp-proofs.content.php
View file

@ -1,63 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<h3>Decentralized OpenPGP identity proofs</h3>
<p>Decentralized OpenPGP identity proofs are the brainchild of Wiktor who wrote the original guide on <a href="https://metacode.biz/openpgp/proofs">his website</a> (a suggested read to get first-hand information).</p>
<p>Unlike proofs provided by for example <a href="https://keybase.io">Keybase</a>, OpenPGP proofs are stored inside the PGP keys themselves instead of being mere signatures. Since this operation requires keys with "certify" capabilities and not simply "sign" capabilities, these OpenPGP proofs could be considered more secure.</p>
<h3>Example</h3>
<ul>
<li>Alice and Bob have been talking for years on service A. Alice already has an account on service B. Bob wants to move to service B as well. A simple decentralized proof confirms that the person who is known as Alice on service A is also known as Alice on service B. Bob can safely move to service B and talk to Alice without having to meet in person to confirm their accounts.</li>
<li>Alice has received a friend request from Bob29 on service C. Is this the same Bob from service A or not? A simple decentralized proof confirms that the person who is known as Bob on platform A is also known as Bob29 on service C. Turns out 28 Bobs were already using service C.</li>
<li>Bob has been invited by an account named Alyce to create an account on an unknown server. Is this a legit request? A simple decentralized proof tells Bob that Alice does not have such an account. Bob knows something is up and does not click the link possibly sent by an imposter.</li>
</ul>
<h3>What an OpenPGP proof looks like</h3>
<p>Every OpenPGP identity proof is stored in the PGP key as a notation that looks like this:</p>
<code>proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891</code>
<p>This particular proof is for a Twitter account (read more in the <a href="/guides/twitter">Twitter guide</a>). Let's analyse the notation:</p>
<ul>
<li><strong>proof</strong> means the current notation is for an identity proof.</li>
<li><strong>@metacode.biz</strong> is the domain of the person who came up with OpenPGP proofs and serves as a namespace for the notation. The domain is included and used for all proofs to comply with the <a href="https://tools.ietf.org/html/rfc4880#section-5.2.3.16">OpenPGP Message Format standard (RFC 4880)</a>.</li>
<li><strong>https://twitter.com/USERNAME/status/1234567891234567891</strong> is the value of the notation. It is a link to the piece of online content that contains a pre-defined message which must always include the fingerprint of the PGP key that will hold the proof.</li>
</ul>
<p>The proof should always link to a document that can be parsed as JSON to make the verification easy and feasible by the browser. Sometimes however, due to CORS restrictions or API requirements (as is the case for Twitter), no such link is provided by the platform. In these rare exceptional cases, the verification process is delegated to the Keyoxide server which will communicate directly with the platform's servers to get the content of the post.</p>
<h3>Your turn</h3>
<p>If you'd like to add decentralized OpenPGP identity proofs to your key, go to the <a href="/guides">guides</a> and find the right one for your platform of choice. You may find the process to be remarkably easy.</p>
<p>If your platform is not in the list of <a href="/guides">guides</a>, it's not supported yet. See the <a href="/guides/contributing">contributing guide</a> for more information on how to get that platform supported.</p>

30
views/guides/openpgp-proofs.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
How OpenPGP identity proofs work

58
views/guides/pixelfed.content.php
View file

@ -1,58 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Pixelfed proof to your OpenPGP keys.</p>
<h3>Update the Pixelfed account</h3>
<p>Log in to your Pixelfed instance and add the following lines to your <strong>Bio</strong> (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this Pixelfed account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to update the link):</p>
<code>proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME</code>
<p>Please note that the <strong>/users/</strong> part of the URL is mandatory for the proof to work.</p>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Fediverse account (Pixelfed is part of the <a href="#https://en.wikipedia.org/wiki/Fediverse">Fediverse</a>).</p>

30
views/guides/pixelfed.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Pixelfed proof

58
views/guides/pleroma.content.php
View file

@ -1,58 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Pleroma proof to your OpenPGP keys.</p>
<h3>Update the Pleroma account</h3>
<p>Log in to your Pleroma instance and add the following lines to your <strong>Bio</strong> (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this Pleroma account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to update the link):</p>
<code>proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME</code>
<p>Please note that the <strong>/users/</strong> part of the URL is mandatory for the proof to work.</p>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Fediverse account (Pleroma is part of the <a href="#https://en.wikipedia.org/wiki/Fediverse">Fediverse</a>).</p>

30
views/guides/pleroma.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Pleroma proof

50
views/guides/proofs.content.php
View file

@ -1,50 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's see how to verify identity proofs.</p>
<h3>Obtain a public key for verification</h3>
<p>The idea is that anyone can add identity proofs of various platforms in their keys. Since this information is kept in the public key, you could take anyone's public key and check whether they indeed have control over the accounts they claim to.</p>
<p>If you already have a public key (or its fingerprint) with OpenPGP identity proofs you would like to use to verify, great! If not, you could use the following fingerprint:</p>
<code>9f0048ac0b23301e1f77e994909f6bd6f80f485d</code>
<h3>Verify proofs</h3>
<p>Open the <a href="/proofs" target="_blank">keyoxide.org/proofs</a> page and paste the fingerprint in the <strong>Email / key id / fingerprint</strong> field. Scroll down and press the <strong>VERIFY PROOFS</strong> button.</p>
<p>You now see a list of domains and/or accounts on platforms for which the owner of the public key claims to have an control over.</p>
<p>If the last link on a line says <strong>proof</strong>, the proof could not be verified for any number of reasons but Keyoxide still allows to check the supposed proof and decide for yourself whether you trust the claim. If the </p>
<p>If the last link on a line says <strong>verified</strong>, the owner of the public key indeed has shown beyond doubt that it has control over the domain or account.</p>
<h3>Your turn</h3>
<p>If you'd like to add decentralized OpenPGP identity proofs to your key, go to the <a href="/guides">guides</a> and find the right one for your platform of choice. You may find the process to be remarkably easy.</p>
<p>If your platform is not in the list of <a href="/guides">guides</a>, it's not supported yet. See the <a href="/guides/contributing">contributing guide</a> for more information on how to get that platform supported.</p>

30
views/guides/proofs.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Verifying identity proofs

58
views/guides/reddit.content.php
View file

@ -1,58 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Reddit proof to your OpenPGP keys.</p>
<h3>Post a Reddit proof message</h3>
<p>Log in to <a href="https://www.reddit.com">www.reddit.com</a> and create a new post with the following text (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this Reddit account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<p>After posting, copy the link to the post.</p>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to update with the link to the post copied above):</p>
<code>proof@metacode.biz=https://www.reddit.com/user/USERNAME/comments/123123/TITLE/</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Reddit account.</p>

30
views/guides/reddit.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Reddit proof

34
views/guides/self-hosting-keyoxide.content.php
View file

@ -1,34 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Though it's not a fully supported use case yet, anyone can take the <a href="https://codeberg.org/keyoxide/web">source code</a> and put it on their own server. The idea is that <a href="https://keyoxide.org">Keyoxide.org</a> is not special in itself. After all, all the heavy lifting is done by the browser. So the role of any individual Keyoxide server is to get the tool in the hands of the end user.</p>
<p>The few supporting roles the server has can easily be performed by any other (PHP) server.</p>
<p>So if you like the project but perhaps are mistrusting of servers of others, especially when it comes to keypairs, here's the <a href="https://codeberg.org/keyoxide/web">source code</a> and put it on your own server. Thanks for using the project!</p>

30
views/guides/self-hosting-keyoxide.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Self-hosting Keyoxide

42
views/guides/service-provider.content.php
View file

@ -1,42 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>If you have:</p>
<ul>
<li>a website that allows users to create accounts</li>
<li>a messaging platform</li>
<li>any other type of service that may require users to prove their online identity</li>
</ul>
<p>Then you may be interested in supporting decentralized identity proofs as they allow your users to securely prove their identity across services. Take a look at this [example](guides/service-provider) to find out how two persons can gain more confidence in knowing they are talking to and interacting with the right person in an online world where impersonating is all too easy.</p>
<p>The internet could be a slightly safer place if your service allowed your users to prove their identity. All the service needs to do is make a JSON file available with basic details about the user and set the correct CORS headers.</p>
<p>The <a href="https://github.com/wiktor-k/openpgp-proofs#for-service-providers">documentation</a> on what is precisely required is provided by the original creator of decentralized OpenPGP identity proofs.</p>

30
views/guides/service-provider.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Are you a service provider?

58
views/guides/twitter.content.php
View file

@ -1,58 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized Twitter proof to your OpenPGP keys.</p>
<h3>Post a Twitter proof message</h3>
<p>Log in to <a href="https://twitter.com">twitter.com</a> and compose a new tweet with the following text (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this Twitter account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<p>After posting, copy the link to the tweet.</p>
<h3>Update the PGP key</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to update with the link to the tweet copied above):</p>
<code>proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891</code>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a verified Twitter account.</p>

30
views/guides/twitter.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a Twitter proof

81
views/guides/verify.content.php
View file

@ -1,81 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's see how to verify an OpenPGP signature.</p>
<h3>Obtain a signature</h3>
<p>If you already have a signature you would like to verify, great! If not, let's use the following signature for the guide:</p>
<code>-----BEGIN PGP SIGNED MESSAGE-----
<br>Hash: SHA256
<br>
<br>I like pineapple.
<br>-----BEGIN PGP SIGNATURE-----
<br>
<br>iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mVUPHHlhcm1vQHlh
cm1vLmV1AAoJEDc2f0r0CHrRQXIP/08uza9zOtmZXv5K+uPGVzDKwkgPgZJEezX7
6iQ358f1pjSRvYfQ5aB13k2epUHoqCKArMYu1zPqxhvLvvAvp8uOHABnr9NGL3El
u7UUgaeUNHkr0gxCKEq3p81abrrbbWveP8OBP4RyxmaFx13Xcj7mfDluiBHmjVvv
WU09EdH9VPlJ7WfZ+2G2ZZDHuE5XiaeP7ocugTxXXLkp33zwpDX0+ZuCIXM6fQGe
OccSffglFPdNBnfasuuxDWxTQPsEbWGOPJV+CAPmBDeApX+TBF9bovO3hw4Uozk2
VT7EAy8Hb0SOrUb3UNGxzoKv++5676IxyB4JXX0Tr9O4ZxhO8o9pEEHwirtn/J1+
MWven4gVlWM/6bMeUqx6ydyNc2nqF5059yfRmwGMlp09x82G4x1bcf6aDZ+5njDG
fS5T2OpXRIkZHJx8BhmZjsxiDR0KV44zwHpt06+96ef3EDWB0BcP6M+a5Rtc33zf
irRmQd2M6RLyXCYtdGIiiAFRuomw802U4F0P4LwVrZdbGA6ObqBv1k8BUFCMbMz8
Ab4hF7kO4z0Vh3JaKzcHey0pOzdNCPpAHZ51sAoAnFDM4PdMBgQxxVweCMu4KYMZ
FN8sNn42oY/b7gDmwCelVhgD+rvUn/a8+B7CDmCp+wIquyrjrTt00voATcb+ZPMJ
<br>pTXJ/NcM
<br>=rqTX
<br>-----END PGP SIGNATURE-----
</code>
<p>Copy the above signature.</p>
<h3>Verify the signature</h3>
<p>Open the <a href="/verify" target="_blank">keyoxide.org/verify</a> page and paste the signature in the corresponding field. Scroll down and press the <strong>VERIFY SIGNATURE</strong> button.</p>
<p>Keyoxide lets you know the signature was verified and signed by a certain person.</p>
<h3>Verify the signature against a specific public key</h3>
<p>Sometimes, you want to know if a specific person or public key was used to create a signature. In this case, let's figure out if the message was signed by Yarmo's public key or his friend Wiktor's public key.</p>
<p>Copy the following fingerprint:</p>
<code>653909A2F0E37C106F5FAF546C8857E0D8E8F074</code>
<p>Paste it in the <strong>Email / key id / fingerprint</strong> field under <strong>Public Key (3: HKP server)</strong> and press the big button again. It could not be verified. Guess it wasn't Wiktor who signed that message.</p>
<p>Now, copy the following fingerprint:</p>
<code>9f0048ac0b23301e1f77e994909f6bd6f80f485d</code>
<p>Paste it in the same field and press the big button again. It did verify! It was Yarmo all along.</p>
<h3>Going further</h3>
<p>You could try using different mechanisms of fetching keys, such as <strong>web key directory</strong> or copy-pasting a plaintext public key.</p>
<p>If you'd like to sign messages using PGP, you must first learn the fundamentals of PGP and how to generate and handle your own keypair.</p>

30
views/guides/verify.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Verifying a signature

64
views/guides/web-key-directory.content.php
View file

@ -1,64 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<h3>Web key directory</h3>
<p><a href="https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/">Web key directory</a> or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: <strong>username@domain.org</strong>.</p>
<p>The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, <a href="https://keys.openpgp.org/about/usage#wkd-as-a-service">openpgp.org</a> have made a WKD-as-a-service. Read more at the end of the guide.</p>
<p>It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.</p>
<h3>The Direct setup</h3>
<p>To make your keys available via WKD using the Direct setup, you'll need two paths on your server:</p>
<p><strong>https://domain.org/.well-known/openpgpkey/policy</strong>: this is an empty file</p>
<p><strong>https://domain.org/.well-known/openpgpkey/hu/LOCALPART</strong>: this is the binary public key (so NOT ASCII armored)</p>
<p>The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a <a href="/util/wkd">small utility to do this for you</a>.</p>
<p>So if you wish to make your key available as <strong>jimothy@dm.com</strong>, according to the <a href="/util/wkd">small utility</a>, the URL would become:</p>
<code>https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m</code>
<h3>The Advanced setup</h3>
<p>While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:</p>
<p><strong>https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy</strong>: this is an empty file</p>
<p><strong>https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART</strong>: this is the binary public key (so NOT ASCII armored)</p>
<p>Indeed, quite similar to the Direct setup, except for the <strong>openpgpkey</strong> subdomain and the additional <strong>domain.org</strong> in the path of the public key.</p>
<p>The public key for <strong>jimothy@dm.com</strong> would be available at:</p>
<code>https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m</code>
<h3>WKD-as-a-service</h3>
<p>In case hosting is problem, Openpgp.org has a handy <a href="https://keys.openpgp.org/about/usage#wkd-as-a-service">WKD-as-a-service</a>.</p>

30
views/guides/web-key-directory.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Uploading keys using web key directory

72
views/guides/xmpp.content.php
View file

@ -1,72 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
<p>Let's add a decentralized XMPP proof to your OpenPGP keys.</p>
<h3>Add a message to your XMPP vCard</h3>
<p>Using a XMPP client that supports editing the vCard (such as <a href="https://dino.im/">Dino</a> and <a href="https://gajim.org/">Gajim</a>), append the following message to the <strong>About</strong> section (make sure to replace FINGERPRINT):</p>
<code>This is an OpenPGP proof that connects my OpenPGP key to this XMPP account.
For details check out https://keyoxide.org/guides/openpgp-proofs
<br><br>[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]</code>
<h3>Update the PGP key (basic edition)</h3>
<p>First, edit the key (make sure to replace FINGERPRINT):</p>
<code>gpg --edit-key FINGERPRINT</code>
<p>Add a new notation:</p>
<code>notation</code>
<p>Enter the notation (make sure to replace XMPP-ID):</p>
<code>proof@metacode.biz=xmpp:XMPP-ID</code>
<p>The XMPP-ID looks something like an email address: <strong>user@domain.org</strong>.</p>
<p>Save the key:</p>
<code>save</code>
<p>Upload the key to WKD or use the following command to upload the key to <a href="https://keys.openpgp.org">keys.openpgp.org</a> (make sure to replace FINGERPRINT):</p>
<code>gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT</code>
<p>And you're done! Reload your profile page, it should now show a XMPP account.</p>
<h3>Update the PGP key (OMEMO edition)</h3>
<p>XMPP communication can be end-to-end encrypted with <a href="https://conversations.im/omemo/">OMEMO</a>. Verifying OMEMO fingerprints is essential to trust your communication and keep it safe from Man-in-the-Middle attacks.</p>
<p><strong>Keyoxide</strong> makes the fingerprint verification process easy for all. Add a special identity proof that not only contains your XMPP-ID but also the fingerprints of all your OMEMO keys.</p>
<p>If your XMPP identity proof is verified, a QR code is shown. Anyone can scan this QR code using XMPP apps like <a href="https://conversations.im/">Conversations</a> (free on <a href="https://f-droid.org/en/packages/eu.siacs.conversations/">F-Droid</a>) to not only add you as a contact, but also verify your OMEMO keys with the highest level of trust.</p>
<p>Making this identity proof yourself can be a tad difficult when using clients like Gajim, but luckily for us, <a href="https://conversations.im/">Conversations</a> can directly generate the proof by going to <strong>Account details > Share > Share as XMPP URI</strong>. The resulting URI should look something like:</p>
<code>xmpp:user@domain.org?omemo-sid-123456789=A1B2C3D4E5F6G7H8I9...</code>
<p>To take advantage of the easy and secure XMPP identity proof including OMEMO fingerprints, follow the <strong>basic edition</strong> guide above but replace XMPP-ID with the URI obtained through the <strong>Conversations</strong> app.</p>

30
views/guides/xmpp.title.php
View file

@ -1,30 +0,0 @@
<?php
// Copyright (C) 2020 Yarmo Mackenbach
//
// This program is free software: you can redistribute it and/or modify it under
// the terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
// details.
//
// You should have received a copy of the GNU Affero General Public License along
// with this program. If not, see <https://www.gnu.org/licenses/>.
//
// Also add information on how to contact you by electronic and paper mail.
//
// If your software can interact with users remotely through a computer network,
// you should also make sure that it provides a way for users to get its source.
// For example, if your program is a web application, its interface could display
// a "Source" link that leads users to an archive of the code. There are many
// ways you could offer source, and different solutions will be better for different
// programs; see section 13 for the specific requirements.
//
// You should also get your employer (if you work as a programmer) or school,
// if any, to sign a "copyright disclaimer" for the program, if necessary. For
// more information on this, and how to apply and follow the GNU AGPL, see <https://www.gnu.org/licenses/>.
?>
Adding a XMPP proof