diff --git a/guides/contributing.md b/guides/contributing.md new file mode 100644 index 0000000..dc162da --- /dev/null +++ b/guides/contributing.md @@ -0,0 +1,20 @@ +# Contributing to Keyoxide + +Keyoxide is more than this website. It's a project that aims to make cryptography more accessible to everyone. Keyoxide is part of a larger community of people working hard to develop tools that add privacy and security to our digital online lives. Remember: privacy is not a luxury. + +## As a developer + +As Keyoxide is an open-source project licensed under the permissive [MIT License](https://codeberg.org/keyoxide/web/src/branch/main/LICENSE), everyone is welcome and encouraged to contribute. This can be done in various forms: + +* [Open an issue](https://codeberg.org/keyoxide/web/issues) to request changes, new features or simply get help. +* [Open a PR](https://codeberg.org/keyoxide/web/pulls) to directly integrate your own changes and new features. + +## Not a developer? + +Not a developer? Not a problem? You could: + +* Learn more about the importance of online privacy and security and advocate for it (much needed!) +* Write guides for others and help each other out. +* Start using decentralized OpenPGP identity keys. +* Spread the word about Keyoxide and OpenPGP keys in general. +* Talk to persons you know using siloed or closed-source alternatives to Keyoxide. diff --git a/guides/devto.md b/guides/devto.md new file mode 100644 index 0000000..abc4a09 --- /dev/null +++ b/guides/devto.md @@ -0,0 +1,41 @@ +# Adding a dev.to proof + +Let's add a decentralized dev.to proof to your OpenPGP keys. + +[[toc]] + +## Post a dev.to proof message + +Log in to [dev.to](https://dev.to) and create a new post with the following text (make sure to replace FINGERPRINT and USERNAME): + +``` +This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this dev.to account](https://dev.to/USERNAME). For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +After posting, copy the link to the post. + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to update with the link to the post copied above): + +`proof@metacode.biz=https://dev.to/USERNAME/POST_TITLE` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified dev.to account. diff --git a/guides/discourse.md b/guides/discourse.md new file mode 100644 index 0000000..a6f065a --- /dev/null +++ b/guides/discourse.md @@ -0,0 +1,41 @@ +# Adding a Discourse proof + +Let's add a decentralized Discourse proof to your OpenPGP keys. + +[[toc]] + +## Update the Discourse account + +Log in to the discourse instance website and add the following text to your **About me** (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this Discourse account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +After posting, copy the link to your profile page (it should end with your **/u/USERNAME**). + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to replace PROFILE_URL with the link to the profile copied above): + +`proof@metacode.biz=PROFILE_URL` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Discourse account. diff --git a/guides/dns.md b/guides/dns.md new file mode 100644 index 0000000..56f9721 --- /dev/null +++ b/guides/dns.md @@ -0,0 +1,35 @@ +# Adding a DNS proof + +Let's add a decentralized DNS proof to your OpenPGP keys. + +[[toc]] + +## Update DNS records for your website + +Add the following TXT record to the DNS records of the (sub)domain you want to prove control over (make sure to replace FINGERPRINT): + +`openpgp4fpr:FINGERPRINT` + +No specific TTL value is required. + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to replace DOMAIN, don't include https://): + +`proof@metacode.biz=dns:DOMAIN?type=TXT` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` diff --git a/guides/encrypt.md b/guides/encrypt.md new file mode 100644 index 0000000..7bfe1c9 --- /dev/null +++ b/guides/encrypt.md @@ -0,0 +1,27 @@ +# Encrypting a message + +Let's see how to encrypt a message. + +[[toc]] + +## Obtain a public key for encryption + +The idea is that you use someone's public key to encrypt a message. From then on, the message cannot be decrypted and read by anyone but the person possessing the private keys associated with the public key (they'll have the same fingerprint). + +If you already have a public key (or its fingerprint) you would like to use to encrypt a message, great! If not, you could use the following fingerprint: + +`9f0048ac0b23301e1f77e994909f6bd6f80f485d` + +## Encrypt a message + +Open the [keyoxide.org/encrypt](/encrypt) page and paste the fingerprint in the **Email / key id / fingerprint** field. + +Write a message in the **Message** field. Scroll down and press the **ENCRYPT MESSAGE** button. + +You have successfully encrypted the message! The encrypted message in the **Message** field can safely be sent via unsecured communication channels knowing that only the person possessing the private key associated with that fingerprint can read it. + +## Going further + +You could try using different mechanisms of fetching keys, such as **web key directory** or copy-pasting a plaintext public key. + +If you'd like to receive PGP encrypted messages, you must first learn the fundamentals of PGP and how to generate and handle your own keypair. diff --git a/guides/feature-comparison-keybase.md b/guides/feature-comparison-keybase.md new file mode 100644 index 0000000..df8eadf --- /dev/null +++ b/guides/feature-comparison-keybase.md @@ -0,0 +1,41 @@ +# Feature comparison with Keybase + +Let's see how Keyoxide's features compare to those of Keybase. + +[[toc]] + +## Encrypt and verify + +Both Keyoxide and Keybase allow easy encryption of data and verification of signatures. While Keybase can only perform these actions for their users who uploaded at least a public key to their servers, Keyoxide can do this for any key on the internet, whether it's available through web key directory, dedicated key servers or simply copy-pasting a plaintext key. + +## Decrypt and sign + +Keyoxide cannot decrypt data or sign messages. + +Keybase can do both of those things but this should NOT be considered a feature. It requires one to upload their private key to closed-source servers which is an act in stark contradiction with all safety precautions any owner of a private key should aim to heed. + +## Online identity proofs + +Both Keyoxide and Keybase allow the user to generate proofs of online identity on various platforms. The difference lies in the method of generation and the implications this has on security. + +Keybase generates a signed message to be posted by the to-be-verified account. Since this involves a signature, any signing key can be used. If a signing key gets misappropriated, it becomes easy for a bad actor to create fake identity proofs. + +Keyoxide uses decentralized OpenPGP proofs in which the identity proofs are stored as notations within the keys themselves. This is only possible when you have access to keys with "certification" capability. As these are the most valuable of keys, they should also be handled more securely than signing keys and are therefore less prone to forgery of identity proofs. + +## Social network and additional services + +Keybase provides an additional social network, chat functionality, encrypted drive, encrypted git, XLM crypto wallet and much more. + +Keyoxide has none of that. Just keys and proofs. + +## Openness + +Keyoxide is fully open-source. It consists mainly of a client component which is the browser. The supporting server functions are open-source as well. + +Keybase has open-source clients but closed-source servers. + +## Data safety + +Keyoxide lets the user's devices do almost all of the heavy lifting, meaning no data is ever sent to a server to perform any of the actions. Only exceptions to this rule are a couple of "proxy scripts" for proofs that cannot be verified by a browser. These proxy scripts are open-source as well and inspectable by all. + +Keybase servers are closed-source. One does not know what happens inside that black box. diff --git a/guides/github.md b/guides/github.md new file mode 100644 index 0000000..7840419 --- /dev/null +++ b/guides/github.md @@ -0,0 +1,43 @@ +# Adding a Github proof + +Let's add a decentralized Github proof to your OpenPGP keys. + +[[toc]] + +## Post a Github proof message + +Log in to [github.com](https://github.com) and click on **New gist**. + +Name the file **openpgp.md** and copy the following content into it (make sure to replace FINGERPRINT and USERNAME): + +``` +This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this Github account](https://github.com/USERNAME). For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +After creating a public gist, copy the link to the gist. + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to update with the link to the post copied above): + +`proof@metacode.biz=https://gist.github.com/USERNAME/12345678912345678912345678912345` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Github account. diff --git a/guides/hackernews.md b/guides/hackernews.md new file mode 100644 index 0000000..097f89a --- /dev/null +++ b/guides/hackernews.md @@ -0,0 +1,41 @@ +# Adding a Hackernews proof + +Let's add a decentralized Hackernews proof to your OpenPGP keys. + +[[toc]] + +## Update the Hackernews account + +Log in to [Hackernews](https://news.ycombinator.com) and click on your **username**. + +Add the following lines to your **about** (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this Hackernews account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to replace USERNAME): + +`proof@metacode.biz=https://news.ycombinator.com/user?id=USERNAME` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Hackernews account. diff --git a/guides/lobsters.md b/guides/lobsters.md new file mode 100644 index 0000000..0f39e56 --- /dev/null +++ b/guides/lobsters.md @@ -0,0 +1,39 @@ +# Adding a Lobste.rs proof + +Let's add a decentralized Lobste.rs proof to your OpenPGP keys. + +[[toc]] + +## Update the Lobste.rs account + +Log in to [Lobste.rs](https://lobste.rs) and append the following text to the **About** section (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this Lobste.rs account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to replace USERNAME): + +`proof@metacode.biz=https://lobste.rs/u/USERNAME` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Lobste.rs account. diff --git a/guides/managing-proofs-deleting.md b/guides/managing-proofs-deleting.md new file mode 100644 index 0000000..a52bdb3 --- /dev/null +++ b/guides/managing-proofs-deleting.md @@ -0,0 +1,45 @@ +# Deleting Proofs using GnuPG + +Over time, you may need to delete proofs. Changing proofs can be achieved by deleting proofs and adding new ones. + +## Delete all proofs + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Launch the notation prompt: + +`notation` + +Enter the 'none' notation to delete all notations: + +`none` + +Save the changes: + +`save` + +## Delete one of your proofs + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Launch the notation prompt: + +`notation` + +Enter the **-** (minus) symbol followed by the proof you want to delete. Make sure you type the proof exactly like it is in your key. + +`-proof@metacode.biz=dns:yourdomain.org?type=TXT` + +_To make it easier to enter the right proof, you could first [list all proofs](managing-proofs-listing) and simply copy the proof (including "proof@metacode.biz=") you want to delete._ + +Save the changes: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` diff --git a/guides/managing-proofs-listing.md b/guides/managing-proofs-listing.md new file mode 100644 index 0000000..ee0d03c --- /dev/null +++ b/guides/managing-proofs-listing.md @@ -0,0 +1,29 @@ +# Listing Proofs using GnuPG + +Let's list the identity proofs stored in our OpenPGP keys. + +## Listing notations in GnuPG + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +List detailed preferences: + +`showpref` + +You should now see your key details, uid, and proofs assigned to your keys: + +``` +[ultimate] (1). Your Name + Cipher: AES256, AES192, AES, 3DES + Digest: SHA512, SHA384, SHA256, SHA1 + Compression: ZLIB, BZIP2, ZIP, Uncompressed + Features: MDC, Keyserver no-modify + Notations: proof@metacode.biz=https://gist.github.com/youruser/somehash + proof@metacode.biz=dns:yourdomain.org?type=TXT +``` + +Exit gpg: + +`quit` diff --git a/guides/mastodon.md b/guides/mastodon.md new file mode 100644 index 0000000..08bbb46 --- /dev/null +++ b/guides/mastodon.md @@ -0,0 +1,35 @@ +# Adding a Mastodon proof + +Let's add a decentralized Mastodon proof to your OpenPGP keys. + +[[toc]] + +## Update the Mastodon account + +Log in to your Mastodon instance and click on **Edit profile**. + +Add a new item under **Profile metadata** with the label **OpenPGP** and your PGP fingerprint as the content. + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to update the link): + +`proof@metacode.biz=https://INSTANCE.ORG/@USERNAME` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Mastodon account. diff --git a/guides/migrating-from-keybase.md b/guides/migrating-from-keybase.md new file mode 100644 index 0000000..eff9f7e --- /dev/null +++ b/guides/migrating-from-keybase.md @@ -0,0 +1,25 @@ +# Migrating from Keybase + +Let's see how easy it is to get a Keyoxide profile when you already have a Keybase account. + +[[toc]] + +## Claim your Keyoxide profile + +Go to the [profile URL generator](/util/profile-url), set Keybase as Source and follow the Keybase specific instructions. Has a profile URL been generated? Congratulations, you now have your very own Keyoxide profile! + +## Actually migrating to Keyoxide + +Unfortunately, you get very little control when using your Keybase key directly. You will need to generate your own PGP keypair (use guides like [this one](https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/) for help) to unlock the full potential of [distributed identity proofs](/guides/proofs). + +Have you generated a keypair and made the public key accessible through [web key directory (WKD)](/guides/web-key-directory) or uploaded it to [keys.openpgp.org](https://keys.openpgp.org/)? Use the [profile URL generator](/util/profile-url) to get your own profile URL and [start adding identity proofs](/guides). + +## Keyoxide as a partial replacement for Keybase + +It's important to moderate expectations and state that [Keyoxide](/) only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs. + +Message decryption and signing are **not** supported features: they would require you to upload your secret key to a website which is a big **no-no**. + +Encrypted chat and cloud storage are **not** supported features: there are plenty of dedicated alternative services. + +If you need any of these Keybase-specific supports, [Keyoxide](/) may not be a full Keybase replacement for you but you could still generate a profile and take advantage of **distributed identity proofs**. diff --git a/guides/openpgp-proofs.md b/guides/openpgp-proofs.md new file mode 100644 index 0000000..49dd657 --- /dev/null +++ b/guides/openpgp-proofs.md @@ -0,0 +1,35 @@ +# How OpenPGP identity proofs work + +[[toc]] + +## Decentralized OpenPGP identity proofs + +Decentralized OpenPGP identity proofs are the brainchild of Wiktor who wrote the original guide on [his website](https://metacode.biz/openpgp/proofs) (a suggested read to get first-hand information). + +Unlike proofs provided by for example [Keybase](https://keybase.io), OpenPGP proofs are stored inside the PGP keys themselves instead of being mere signatures. Since this operation requires keys with "certify" capabilities and not simply "sign" capabilities, these OpenPGP proofs could be considered more secure. + +## Example + +* Alice and Bob have been talking for years on service A. Alice already has an account on service B. Bob wants to move to service B as well. A simple decentralized proof confirms that the person who is known as Alice on service A is also known as Alice on service B. Bob can safely move to service B and talk to Alice without having to meet in person to confirm their accounts. +* Alice has received a friend request from Bob29 on service C. Is this the same Bob from service A or not? A simple decentralized proof confirms that the person who is known as Bob on platform A is also known as Bob29 on service C. Turns out 28 Bobs were already using service C. +* Bob has been invited by an account named Alyce to create an account on an unknown server. Is this a legit request? A simple decentralized proof tells Bob that Alice does not have such an account. Bob knows something is up and does not click the link possibly sent by an imposter. + +## What an OpenPGP proof looks like + +Every OpenPGP identity proof is stored in the PGP key as a notation that looks like this: + +`proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891` + +This particular proof is for a Twitter account (read more in the [Twitter guide](/guides/twitter)). Let's analyse the notation: + +* **proof** means the current notation is for an identity proof. +* **@metacode.biz** is the domain of the person who came up with OpenPGP proofs and serves as a namespace for the notation. The domain is included and used for all proofs to comply with the [OpenPGP Message Format standard (RFC 4880)](https://tools.ietf.org/html/rfc4880#section-5.2.3.16). +* **https://twitter.com/USERNAME/status/1234567891234567891** is the value of the notation. It is a link to the piece of online content that contains a pre-defined message which must always include the fingerprint of the PGP key that will hold the proof. + +The proof should always link to a document that can be parsed as JSON to make the verification easy and feasible by the browser. Sometimes however, due to CORS restrictions or API requirements (as is the case for Twitter), no such link is provided by the platform. In these rare exceptional cases, the verification process is delegated to the Keyoxide server which will communicate directly with the platform's servers to get the content of the post. + +## Your turn + +If you'd like to add decentralized OpenPGP identity proofs to your key, go to the [guides](/guides) and find the right one for your platform of choice. You may find the process to be remarkably easy. + +If your platform is not in the list of [guides](/guides), it's not supported yet. See the [contributing guide](/guides/contributing) for more information on how to get that platform supported. diff --git a/guides/pixelfed.md b/guides/pixelfed.md new file mode 100644 index 0000000..c5b3df0 --- /dev/null +++ b/guides/pixelfed.md @@ -0,0 +1,41 @@ +# Adding a Pixelfed proof + +Let's add a decentralized Pixelfed proof to your OpenPGP keys. + +[[toc]] + +## Update the Pixelfed account + +Log in to your Pixelfed instance and add the following lines to your **Bio** (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this Pixelfed account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to update the link): + +`proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME` + +Please note that the **/users/** part of the URL is mandatory for the proof to work. + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Fediverse account (Pixelfed is part of the [Fediverse](#https://en.wikipedia.org/wiki/Fediverse)). diff --git a/guides/pleroma.md b/guides/pleroma.md new file mode 100644 index 0000000..27d614d --- /dev/null +++ b/guides/pleroma.md @@ -0,0 +1,41 @@ +# Adding a Pleroma proof + +Let's add a decentralized Pleroma proof to your OpenPGP keys. + +[[toc]] + +## Update the Pleroma account + +Log in to your Pleroma instance and add the following lines to your **Bio** (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this Pleroma account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to update the link): + +`proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME` + +Please note that the **/users/** part of the URL is mandatory for the proof to work. + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Fediverse account (Pleroma is part of the [Fediverse](#https://en.wikipedia.org/wiki/Fediverse)). diff --git a/guides/proofs.md b/guides/proofs.md new file mode 100644 index 0000000..8670934 --- /dev/null +++ b/guides/proofs.md @@ -0,0 +1,29 @@ +# Verifying identity proofs + +Let's see how to verify identity proofs. + +[[toc]] + +## Obtain a public key for verification + +The idea is that anyone can add identity proofs of various platforms in their keys. Since this information is kept in the public key, you could take anyone's public key and check whether they indeed have control over the accounts they claim to. + +If you already have a public key (or its fingerprint) with OpenPGP identity proofs you would like to use to verify, great! If not, you could use the following fingerprint: + +`9f0048ac0b23301e1f77e994909f6bd6f80f485d` + +## Verify proofs + +Open the [keyoxide.org/proofs](/proofs) page and paste the fingerprint in the **Email / key id / fingerprint** field. Scroll down and press the **VERIFY PROOFS** button. + +You now see a list of domains and/or accounts on platforms for which the owner of the public key claims to have an control over. + +If the last link on a line says **proof**, the proof could not be verified for any number of reasons but Keyoxide still allows to check the supposed proof and decide for yourself whether you trust the claim. If the + +If the last link on a line says **verified**, the owner of the public key indeed has shown beyond doubt that it has control over the domain or account. + +## Your turn + +If you'd like to add decentralized OpenPGP identity proofs to your key, go to the [guides](/guides) and find the right one for your platform of choice. You may find the process to be remarkably easy. + +If your platform is not in the list of [guides](/guides), it's not supported yet. See the [contributing guide](/guides/contributing) for more information on how to get that platform supported. diff --git a/guides/reddit.md b/guides/reddit.md new file mode 100644 index 0000000..8f4cfb4 --- /dev/null +++ b/guides/reddit.md @@ -0,0 +1,41 @@ +# Adding a Reddit proof + +Let's add a decentralized Reddit proof to your OpenPGP keys. + +[[toc]] + +## Post a Reddit proof message + +Log in to [www.reddit.com](https://www.reddit.com) and create a new post with the following text (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this Reddit account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +After posting, copy the link to the post. + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to update with the link to the post copied above): + +`proof@metacode.biz=https://www.reddit.com/user/USERNAME/comments/123123/TITLE/` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Reddit account. diff --git a/guides/self-hosting-keyoxide.md b/guides/self-hosting-keyoxide.md new file mode 100644 index 0000000..b9d168a --- /dev/null +++ b/guides/self-hosting-keyoxide.md @@ -0,0 +1,7 @@ +# Self-hosting Keyoxide + +Though it's not a fully supported use case yet, anyone can take the [source code](https://codeberg.org/keyoxide/web) and put it on their own server. The idea is that [Keyoxide.org](https://keyoxide.org) is not special in itself. After all, all the heavy lifting is done by the browser. So the role of any individual Keyoxide server is to get the tool in the hands of the end user. + +The few supporting roles the server has can easily be performed by any other (PHP) server. + +So if you like the project but perhaps are mistrusting of servers of others, especially when it comes to keypairs, here's the [source code](https://codeberg.org/keyoxide/web) and put it on your own server. Thanks for using the project! diff --git a/guides/service-provider.md b/guides/service-provider.md new file mode 100644 index 0000000..4e22810 --- /dev/null +++ b/guides/service-provider.md @@ -0,0 +1,13 @@ +# Are you a service provider? + +If you have: + +* a website that allows users to create accounts +* a messaging platform +* any other type of service that may require users to prove their online identity + +Then you may be interested in supporting decentralized identity proofs as they allow your users to securely prove their identity across services. Take a look at this [example](guides/service-provider) to find out how two persons can gain more confidence in knowing they are talking to and interacting with the right person in an online world where impersonating is all too easy. + +The internet could be a slightly safer place if your service allowed your users to prove their identity. All the service needs to do is make a JSON file available with basic details about the user and set the correct CORS headers. + +The [documentation](https://github.com/wiktor-k/openpgp-proofs#for-service-providers) on what is precisely required is provided by the original creator of decentralized OpenPGP identity proofs. diff --git a/guides/twitter.md b/guides/twitter.md new file mode 100644 index 0000000..8de40fb --- /dev/null +++ b/guides/twitter.md @@ -0,0 +1,41 @@ +# Adding a Twitter proof + +Let's add a decentralized Twitter proof to your OpenPGP keys. + +[[toc]] + +## Post a Twitter proof message + +Log in to [twitter.com](https://twitter.com) and compose a new tweet with the following text (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this Twitter account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +After posting, copy the link to the tweet. + +## Update the PGP key + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to update with the link to the tweet copied above): + +`proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891` + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a verified Twitter account. diff --git a/guides/verify.md b/guides/verify.md new file mode 100644 index 0000000..f57b873 --- /dev/null +++ b/guides/verify.md @@ -0,0 +1,63 @@ +# Verifying a signature + +Let's see how to verify an OpenPGP signature. + +[[toc]] + +## Obtain a signature + +If you already have a signature you would like to verify, great! If not, let's use the following signature for the guide: + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +I like pineapple. +-----BEGIN PGP SIGNATURE----- + +iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mVUPHHlhcm1vQHlh +cm1vLmV1AAoJEDc2f0r0CHrRQXIP/08uza9zOtmZXv5K+uPGVzDKwkgPgZJEezX7 +6iQ358f1pjSRvYfQ5aB13k2epUHoqCKArMYu1zPqxhvLvvAvp8uOHABnr9NGL3El +u7UUgaeUNHkr0gxCKEq3p81abrrbbWveP8OBP4RyxmaFx13Xcj7mfDluiBHmjVvv +WU09EdH9VPlJ7WfZ+2G2ZZDHuE5XiaeP7ocugTxXXLkp33zwpDX0+ZuCIXM6fQGe +OccSffglFPdNBnfasuuxDWxTQPsEbWGOPJV+CAPmBDeApX+TBF9bovO3hw4Uozk2 +VT7EAy8Hb0SOrUb3UNGxzoKv++5676IxyB4JXX0Tr9O4ZxhO8o9pEEHwirtn/J1+ +MWven4gVlWM/6bMeUqx6ydyNc2nqF5059yfRmwGMlp09x82G4x1bcf6aDZ+5njDG +fS5T2OpXRIkZHJx8BhmZjsxiDR0KV44zwHpt06+96ef3EDWB0BcP6M+a5Rtc33zf +irRmQd2M6RLyXCYtdGIiiAFRuomw802U4F0P4LwVrZdbGA6ObqBv1k8BUFCMbMz8 +Ab4hF7kO4z0Vh3JaKzcHey0pOzdNCPpAHZ51sAoAnFDM4PdMBgQxxVweCMu4KYMZ +FN8sNn42oY/b7gDmwCelVhgD+rvUn/a8+B7CDmCp+wIquyrjrTt00voATcb+ZPMJ +pTXJ/NcM +=rqTX +-----END PGP SIGNATURE----- +``` + +Copy the above signature. + +## Verify the signature + +Open the [keyoxide.org/verify](/verify) page and paste the signature in the corresponding field. Scroll down and press the **VERIFY SIGNATURE** button. + +Keyoxide lets you know the signature was verified and signed by a certain person. + +## Verify the signature against a specific public key + +Sometimes, you want to know if a specific person or public key was used to create a signature. In this case, let's figure out if the message was signed by Yarmo's public key or his friend Wiktor's public key. + +Copy the following fingerprint: + +`653909A2F0E37C106F5FAF546C8857E0D8E8F074` + +Paste it in the **Email / key id / fingerprint** field under **Public Key (3: HKP server)** and press the big button again. It could not be verified. Guess it wasn't Wiktor who signed that message. + +Now, copy the following fingerprint: + +`9f0048ac0b23301e1f77e994909f6bd6f80f485d` + +Paste it in the same field and press the big button again. It did verify! It was Yarmo all along. + +## Going further + +You could try using different mechanisms of fetching keys, such as **web key directory** or copy-pasting a plaintext public key. + +If you'd like to sign messages using PGP, you must first learn the fundamentals of PGP and how to generate and handle your own keypair. diff --git a/guides/web-key-directory.md b/guides/web-key-directory.md new file mode 100644 index 0000000..6c034de --- /dev/null +++ b/guides/web-key-directory.md @@ -0,0 +1,43 @@ +# Uploading keys using web key directory + +[[toc]] + +## Web key directory + +[Web key directory](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: **username@domain.org**. + +The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, [openpgp.org](https://keys.openpgp.org/about/usage#wkd-as-a-service) have made a WKD-as-a-service. Read more at the end of the guide. + +It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps. + +## The Direct setup + +To make your keys available via WKD using the Direct setup, you'll need two paths on your server: + +**https://domain.org/.well-known/openpgpkey/policy**: this is an empty file + +**https://domain.org/.well-known/openpgpkey/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored) + +The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a [small utility to do this for you](/util/wkd). + +So if you wish to make your key available as **jimothy@dm.com**, according to the [small utility](/util/wkd), the URL would become: + +`https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m` + +## The Advanced setup + +While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are: + +**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy**: this is an empty file + +**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored) + +Indeed, quite similar to the Direct setup, except for the **openpgpkey** subdomain and the additional **domain.org** in the path of the public key. + +The public key for **jimothy@dm.com** would be available at: + +`https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m` + +## WKD-as-a-service + +In case hosting is problem, Openpgp.org has a handy [WKD-as-a-service](https://keys.openpgp.org/about/usage#wkd-as-a-service). diff --git a/guides/xmpp.md b/guides/xmpp.md new file mode 100644 index 0000000..4c29f44 --- /dev/null +++ b/guides/xmpp.md @@ -0,0 +1,55 @@ +# Adding a XMPP proof + +Let's add a decentralized XMPP proof to your OpenPGP keys. + +[[toc]] + +### Add a message to your XMPP vCard + +Using a XMPP client that supports editing the vCard (such as [Dino](https://dino.im/) and [Gajim](https://gajim.org/)), append the following message to the **About** section (make sure to replace FINGERPRINT): + +``` +This is an OpenPGP proof that connects my OpenPGP key to this XMPP account. For details check out https://keyoxide.org/guides/openpgp-proofs + +[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] +``` + +### Update the PGP key (basic edition) + +First, edit the key (make sure to replace FINGERPRINT): + +`gpg --edit-key FINGERPRINT` + +Add a new notation: + +`notation` + +Enter the notation (make sure to replace XMPP-ID): + +`proof@metacode.biz=xmpp:XMPP-ID` + +The XMPP-ID looks something like an email address: **user@domain.org**. + +Save the key: + +`save` + +Upload the key to WKD or use the following command to upload the key to [keys.openpgp.org](https://keys.openpgp.org) (make sure to replace FINGERPRINT): + +`gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT` + +And you're done! Reload your profile page, it should now show a XMPP account. + +### Update the PGP key (OMEMO edition) + +XMPP communication can be end-to-end encrypted with [OMEMO](https://conversations.im/omemo/). Verifying OMEMO fingerprints is essential to trust your communication and keep it safe from Man-in-the-Middle attacks. + +**Keyoxide** makes the fingerprint verification process easy for all. Add a special identity proof that not only contains your XMPP-ID but also the fingerprints of all your OMEMO keys. + +If your XMPP identity proof is verified, a QR code is shown. Anyone can scan this QR code using XMPP apps like [Conversations](https://conversations.im/) (free on [F-Droid](https://f-droid.org/en/packages/eu.siacs.conversations/)) to not only add you as a contact, but also verify your OMEMO keys with the highest level of trust. + +Making this identity proof yourself can be a tad difficult when using clients like Gajim, but luckily for us, [Conversations](https://conversations.im/) can directly generate the proof by going to **Account details > Share > Share as XMPP URI**. The resulting URI should look something like: + +`xmpp:user@domain.org?omemo-sid-123456789=A1B2C3D4E5F6G7H8I9...` + +To take advantage of the easy and secure XMPP identity proof including OMEMO fingerprints, follow the **basic edition** guide above but replace XMPP-ID with the URI obtained through the **Conversations** app. diff --git a/views/guides/contributing.content.php b/views/guides/contributing.content.php deleted file mode 100644 index 9c4050b..0000000 --- a/views/guides/contributing.content.php +++ /dev/null @@ -1,51 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Keyoxide is more than this website. It's a project that aims to make cryptography more accessible to everyone. Keyoxide is part of a larger community of people working hard to develop tools that add privacy and security to our digital online lives. Remember: privacy is not a luxury.

- -

As a developer

- -

As Keyoxide is an open-source project licensed under the permissive MIT License, everyone is welcome and encouraged to contribute. This can be done in various forms:

- - - -

Not a developer?

- -

Not a developer? Not a problem? You could:

- - diff --git a/views/guides/contributing.title.php b/views/guides/contributing.title.php deleted file mode 100644 index 30c816f..0000000 --- a/views/guides/contributing.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Contributing to Keyoxide diff --git a/views/guides/devto.content.php b/views/guides/devto.content.php deleted file mode 100644 index 924c9b8..0000000 --- a/views/guides/devto.content.php +++ /dev/null @@ -1,58 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized dev.to proof to your OpenPGP keys.

- -

Post a dev.to proof message

- -

Log in to dev.to and create a new post with the following text (make sure to replace FINGERPRINT and USERNAME):

-This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this dev.to account](https://dev.to/USERNAME). -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

After posting, copy the link to the post.

- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to update with the link to the post copied above):

-proof@metacode.biz=https://dev.to/USERNAME/POST_TITLE - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified dev.to account.

diff --git a/views/guides/devto.title.php b/views/guides/devto.title.php deleted file mode 100644 index 343cdff..0000000 --- a/views/guides/devto.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a dev.to proof diff --git a/views/guides/discourse.content.php b/views/guides/discourse.content.php deleted file mode 100644 index bcc40c7..0000000 --- a/views/guides/discourse.content.php +++ /dev/null @@ -1,58 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Discourse proof to your OpenPGP keys.

- -

Update the Discourse account

- -

Log in to the discourse instance website and add the following text to your About me (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this Discourse account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

After posting, copy the link to your profile page (it should end with your /u/USERNAME).

- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to replace PROFILE_URL with the link to the profile copied above):

-proof@metacode.biz=PROFILE_URL - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Discourse account.

diff --git a/views/guides/discourse.title.php b/views/guides/discourse.title.php deleted file mode 100644 index 37a82ab..0000000 --- a/views/guides/discourse.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Discourse proof diff --git a/views/guides/dns.content.php b/views/guides/dns.content.php deleted file mode 100644 index 7eaa37e..0000000 --- a/views/guides/dns.content.php +++ /dev/null @@ -1,56 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized DNS proof to your OpenPGP keys.

- -

Update DNS records for your website

- -

Add the following TXT record to the DNS records of the (sub)domain you want to prove control over (make sure to replace FINGERPRINT):

-openpgp4fpr:FINGERPRINT - -

No specific TTL value is required.

- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to replace DOMAIN, don't include https://):

-proof@metacode.biz=dns:DOMAIN?type=TXT - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified domain.

diff --git a/views/guides/dns.title.php b/views/guides/dns.title.php deleted file mode 100644 index aaad4bf..0000000 --- a/views/guides/dns.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a DNS proof diff --git a/views/guides/encrypt.content.php b/views/guides/encrypt.content.php deleted file mode 100644 index 1b2a62d..0000000 --- a/views/guides/encrypt.content.php +++ /dev/null @@ -1,49 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's see how to encrypt a message.

- -

Obtain a public key for encryption

- -

The idea is that you use someone's public key to encrypt a message. From then on, the message cannot be decrypted and read by anyone but the person possessing the private keys associated with the public key (they'll have the same fingerprint).

- -

If you already have a public key (or its fingerprint) you would like to use to encrypt a message, great! If not, you could use the following fingerprint:

-9f0048ac0b23301e1f77e994909f6bd6f80f485d - -

Encrypt a message

- -

Open the keyoxide.org/encrypt page and paste the fingerprint in the Email / key id / fingerprint field.

-

Write a message in the Message field. Scroll down and press the ENCRYPT MESSAGE button.

-

You have successfully encrypted the message! The encrypted message in the Message field can safely be sent via unsecured communication channels knowing that only the person possessing the private key associated with that fingerprint can read it.

- -

Going further

- -

You could try using different mechanisms of fetching keys, such as web key directory or copy-pasting a plaintext public key.

- -

If you'd like to receive PGP encrypted messages, you must first learn the fundamentals of PGP and how to generate and handle your own keypair.

diff --git a/views/guides/encrypt.title.php b/views/guides/encrypt.title.php deleted file mode 100644 index 737e3d5..0000000 --- a/views/guides/encrypt.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Encrypting a message diff --git a/views/guides/feature-comparison-keybase.content.php b/views/guides/feature-comparison-keybase.content.php deleted file mode 100644 index cfd8590..0000000 --- a/views/guides/feature-comparison-keybase.content.php +++ /dev/null @@ -1,62 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's see how Keyoxide's features compare to those of Keybase.

- -

Encrypt and verify

- -

Both Keyoxide and Keybase allow easy encryption of data and verification of signatures. While Keybase can only perform these actions for their users who uploaded at least a public key to their servers, Keyoxide can do this for any key on the internet, whether it's available through web key directory, dedicated key servers or simply copy-pasting a plaintext key.

- -

Decrypt and sign

- -

Keyoxide cannot decrypt data or sign messages.

-

Keybase can do both of those things but this should NOT be considered a feature. It requires one to upload their private key to closed-source servers which is an act in stark contradiction with all safety precautions any owner of a private key should aim to heed.

- -

Online identity proofs

- -

Both Keyoxide and Keybase allow the user to generate proofs of online identity on various platforms. The difference lies in the method of generation and the implications this has on security.

- -

Keybase generates a signed message to be posted by the to-be-verified account. Since this involves a signature, any signing key can be used. If a signing key gets misappropriated, it becomes easy for a bad actor to create fake identity proofs.

- -

Keyoxide uses decentralized OpenPGP proofs in which the identity proofs are stored as notations within the keys themselves. This is only possible when you have access to keys with "certification" capability. As these are the most valuable of keys, they should also be handled more securely than signing keys and are therefore less prone to forgery of identity proofs.

- -

Social network and additional services

- -

Keybase provides an additional social network, chat functionality, encrypted drive, encrypted git, XLM crypto wallet and much more.

-

Keyoxide has none of that. Just keys and proofs.

- -

Openness

- -

Keyoxide is fully open-source. It consists mainly of a client component which is the browser. The supporting server functions are open-source as well.

-

Keybase has open-source clients but closed-source servers.

- -

Data safety

- -

Keyoxide lets the user's devices do almost all of the heavy lifting, meaning no data is ever sent to a server to perform any of the actions. Only exceptions to this rule are a couple of "proxy scripts" for proofs that cannot be verified by a browser. These proxy scripts are open-source as well and inspectable by all.

-

Keybase servers are closed-source. One does not know what happens inside that black box.

diff --git a/views/guides/feature-comparison-keybase.title.php b/views/guides/feature-comparison-keybase.title.php deleted file mode 100644 index 6abf001..0000000 --- a/views/guides/feature-comparison-keybase.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Feature comparison with Keybase diff --git a/views/guides/github.content.php b/views/guides/github.content.php deleted file mode 100644 index bafcfca..0000000 --- a/views/guides/github.content.php +++ /dev/null @@ -1,60 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Github proof to your OpenPGP keys.

- -

Post a Github proof message

- -

Log in to github.com and click on New gist.

- -

Name the file openpgp.md and copy the following content into it (make sure to replace FINGERPRINT and USERNAME):

-This is an OpenPGP proof that connects [my OpenPGP key](https://keyoxide.org/FINGERPRINT) to [this Github account](https://github.com/USERNAME). -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

After creating a public gist, copy the link to the gist.

- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to update with the link to the post copied above):

-proof@metacode.biz=https://gist.github.com/USERNAME/12345678912345678912345678912345 - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Github account.

diff --git a/views/guides/github.title.php b/views/guides/github.title.php deleted file mode 100644 index b6da803..0000000 --- a/views/guides/github.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Github proof diff --git a/views/guides/hackernews.content.php b/views/guides/hackernews.content.php deleted file mode 100644 index 5cd12bd..0000000 --- a/views/guides/hackernews.content.php +++ /dev/null @@ -1,58 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Hackernews proof to your OpenPGP keys.

- -

Update the Hackernews account

- -

Log in to Hackernews and click on your username.

- -

Add the following lines to your about (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this Hackernews account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to replace USERNAME):

-proof@metacode.biz=https://news.ycombinator.com/user?id=USERNAME - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Hackernews account.

diff --git a/views/guides/hackernews.title.php b/views/guides/hackernews.title.php deleted file mode 100644 index 7839be7..0000000 --- a/views/guides/hackernews.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Hackernews proof diff --git a/views/guides/lobsters.content.php b/views/guides/lobsters.content.php deleted file mode 100644 index 4701bd6..0000000 --- a/views/guides/lobsters.content.php +++ /dev/null @@ -1,56 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Lobste.rs proof to your OpenPGP keys.

- -

Update the Lobste.rs account

- -

Log in to Lobste.rs and append the following text to the About section (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this Lobste.rs account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to replace USERNAME):

-proof@metacode.biz=https://lobste.rs/u/USERNAME - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Lobste.rs account.

diff --git a/views/guides/lobsters.title.php b/views/guides/lobsters.title.php deleted file mode 100644 index 5eef758..0000000 --- a/views/guides/lobsters.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Lobste.rs proof diff --git a/views/guides/managing-proofs-deleting.content.php b/views/guides/managing-proofs-deleting.content.php deleted file mode 100644 index f397895..0000000 --- a/views/guides/managing-proofs-deleting.content.php +++ /dev/null @@ -1,63 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Over time, you may need to delete proofs. Changing proofs can be achieved by deleting proofs and adding new ones.

- -

Delete all proofs

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Launch the notation prompt:

-notation - -

Enter the 'none' notation to delete all notations:

-none - -

Save the changes:

-save - -

Delete one of your proofs

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Launch the notation prompt:

-notation - -

Enter the - (minus) symbol followed by the proof you want to delete. Make sure you type the proof exactly like it is in your key.

--proof@metacode.biz=dns:yourdomain.org?type=TXT - -

To make it easier to enter the right proof, you could first list all proofs and simply copy the proof (including "proof@metacode.biz=") you want to delete.

- -

Save the changes:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT diff --git a/views/guides/managing-proofs-deleting.title.php b/views/guides/managing-proofs-deleting.title.php deleted file mode 100644 index 19040a5..0000000 --- a/views/guides/managing-proofs-deleting.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Deleting Proofs using GnuPG diff --git a/views/guides/managing-proofs-listing.content.php b/views/guides/managing-proofs-listing.content.php deleted file mode 100644 index 1e5682e..0000000 --- a/views/guides/managing-proofs-listing.content.php +++ /dev/null @@ -1,52 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's list the identity proofs stored in our OpenPGP keys.

- -

Listing notations in GnuPG

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

List detailed preferences:

-showpref - -

You should now see your key details, uid, and proofs assigned to your keys:

- -[ultimate] (1). Your Name - Cipher: AES256, AES192, AES, 3DES - Digest: SHA512, SHA384, SHA256, SHA1 - Compression: ZLIB, BZIP2, ZIP, Uncompressed - Features: MDC, Keyserver no-modify - Notations: proof@metacode.biz=https://gist.github.com/youruser/somehash - proof@metacode.biz=dns:yourdomain.org?type=TXT - - -

Exit gpg:

-quit diff --git a/views/guides/managing-proofs-listing.title.php b/views/guides/managing-proofs-listing.title.php deleted file mode 100644 index a819fe3..0000000 --- a/views/guides/managing-proofs-listing.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Listing Proofs using GnuPG diff --git a/views/guides/mastodon.content.php b/views/guides/mastodon.content.php deleted file mode 100644 index 0b10611..0000000 --- a/views/guides/mastodon.content.php +++ /dev/null @@ -1,54 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Mastodon proof to your OpenPGP keys.

- -

Update the Mastodon account

- -

Log in to your Mastodon instance and click on Edit profile.

-

Add a new item under Profile metadata with the label OpenPGP and your PGP fingerprint as the content.

- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to update the link):

-proof@metacode.biz=https://INSTANCE.ORG/@USERNAME - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Mastodon account.

diff --git a/views/guides/mastodon.title.php b/views/guides/mastodon.title.php deleted file mode 100644 index 8d6e727..0000000 --- a/views/guides/mastodon.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Mastodon proof diff --git a/views/guides/migrating-from-keybase.content.php b/views/guides/migrating-from-keybase.content.php deleted file mode 100644 index 3ea3763..0000000 --- a/views/guides/migrating-from-keybase.content.php +++ /dev/null @@ -1,50 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's see how easy it is to get a Keyoxide profile when you already have a Keybase account.

- -

Claim your Keyoxide profile

- -

Go to the profile URL generator, set Keybase as Source and follow the Keybase specific instructions. Has a profile URL been generated? Congratulations, you now have your very own Keyoxide profile!

- -

Actually migrating to Keyoxide

- -

Unfortunately, you get very little control when using your Keybase key directly. You will need to generate your own PGP keypair (use guides like this one for help) to unlock the full potential of distributed identity proofs.

- -

Have you generated a keypair and made the public key accessible through web key directory (WKD) or uploaded it to keys.openpgp.org? Use the profile URL generator to get your own profile URL and start adding identity proofs.

- -

Keyoxide as a partial replacement for Keybase

- -

It's important to moderate expectations and state that Keyoxide only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.

- -

Message decryption and signing are not supported features: they would require you to upload your secret key to a website which is a big no-no.

- -

Encrypted chat and cloud storage are not supported features: there are plenty of dedicated alternative services.

- -

If you need any of these Keybase-specific supports, Keyoxide may not be a full Keybase replacement for you but you could still generate a profile and take advantage of distributed identity proofs.

diff --git a/views/guides/migrating-from-keybase.title.php b/views/guides/migrating-from-keybase.title.php deleted file mode 100644 index cccab0f..0000000 --- a/views/guides/migrating-from-keybase.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Migrating from Keybase diff --git a/views/guides/openpgp-proofs.content.php b/views/guides/openpgp-proofs.content.php deleted file mode 100644 index 932f5cc..0000000 --- a/views/guides/openpgp-proofs.content.php +++ /dev/null @@ -1,63 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Decentralized OpenPGP identity proofs

- -

Decentralized OpenPGP identity proofs are the brainchild of Wiktor who wrote the original guide on his website (a suggested read to get first-hand information).

- -

Unlike proofs provided by for example Keybase, OpenPGP proofs are stored inside the PGP keys themselves instead of being mere signatures. Since this operation requires keys with "certify" capabilities and not simply "sign" capabilities, these OpenPGP proofs could be considered more secure.

- -

Example

- -
    -
  • Alice and Bob have been talking for years on service A. Alice already has an account on service B. Bob wants to move to service B as well. A simple decentralized proof confirms that the person who is known as Alice on service A is also known as Alice on service B. Bob can safely move to service B and talk to Alice without having to meet in person to confirm their accounts.
  • -
  • Alice has received a friend request from Bob29 on service C. Is this the same Bob from service A or not? A simple decentralized proof confirms that the person who is known as Bob on platform A is also known as Bob29 on service C. Turns out 28 Bobs were already using service C.
  • -
  • Bob has been invited by an account named Alyce to create an account on an unknown server. Is this a legit request? A simple decentralized proof tells Bob that Alice does not have such an account. Bob knows something is up and does not click the link possibly sent by an imposter.
  • -
- -

What an OpenPGP proof looks like

- -

Every OpenPGP identity proof is stored in the PGP key as a notation that looks like this:

-proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891 - -

This particular proof is for a Twitter account (read more in the Twitter guide). Let's analyse the notation:

- -
    -
  • proof means the current notation is for an identity proof.
  • -
  • @metacode.biz is the domain of the person who came up with OpenPGP proofs and serves as a namespace for the notation. The domain is included and used for all proofs to comply with the OpenPGP Message Format standard (RFC 4880).
  • -
  • https://twitter.com/USERNAME/status/1234567891234567891 is the value of the notation. It is a link to the piece of online content that contains a pre-defined message which must always include the fingerprint of the PGP key that will hold the proof.
  • -
- -

The proof should always link to a document that can be parsed as JSON to make the verification easy and feasible by the browser. Sometimes however, due to CORS restrictions or API requirements (as is the case for Twitter), no such link is provided by the platform. In these rare exceptional cases, the verification process is delegated to the Keyoxide server which will communicate directly with the platform's servers to get the content of the post.

- -

Your turn

- -

If you'd like to add decentralized OpenPGP identity proofs to your key, go to the guides and find the right one for your platform of choice. You may find the process to be remarkably easy.

- -

If your platform is not in the list of guides, it's not supported yet. See the contributing guide for more information on how to get that platform supported.

diff --git a/views/guides/openpgp-proofs.title.php b/views/guides/openpgp-proofs.title.php deleted file mode 100644 index 33c49d6..0000000 --- a/views/guides/openpgp-proofs.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -How OpenPGP identity proofs work diff --git a/views/guides/pixelfed.content.php b/views/guides/pixelfed.content.php deleted file mode 100644 index cce1f78..0000000 --- a/views/guides/pixelfed.content.php +++ /dev/null @@ -1,58 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Pixelfed proof to your OpenPGP keys.

- -

Update the Pixelfed account

- -

Log in to your Pixelfed instance and add the following lines to your Bio (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this Pixelfed account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to update the link):

-proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME - -

Please note that the /users/ part of the URL is mandatory for the proof to work.

- -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Fediverse account (Pixelfed is part of the Fediverse).

diff --git a/views/guides/pixelfed.title.php b/views/guides/pixelfed.title.php deleted file mode 100644 index 5f9c5a8..0000000 --- a/views/guides/pixelfed.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Pixelfed proof diff --git a/views/guides/pleroma.content.php b/views/guides/pleroma.content.php deleted file mode 100644 index 86a0e02..0000000 --- a/views/guides/pleroma.content.php +++ /dev/null @@ -1,58 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Pleroma proof to your OpenPGP keys.

- -

Update the Pleroma account

- -

Log in to your Pleroma instance and add the following lines to your Bio (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this Pleroma account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to update the link):

-proof@metacode.biz=https://INSTANCE.ORG/users/USERNAME - -

Please note that the /users/ part of the URL is mandatory for the proof to work.

- -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Fediverse account (Pleroma is part of the Fediverse).

diff --git a/views/guides/pleroma.title.php b/views/guides/pleroma.title.php deleted file mode 100644 index e43bcfe..0000000 --- a/views/guides/pleroma.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Pleroma proof diff --git a/views/guides/proofs.content.php b/views/guides/proofs.content.php deleted file mode 100644 index 9ae7faf..0000000 --- a/views/guides/proofs.content.php +++ /dev/null @@ -1,50 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's see how to verify identity proofs.

- -

Obtain a public key for verification

- -

The idea is that anyone can add identity proofs of various platforms in their keys. Since this information is kept in the public key, you could take anyone's public key and check whether they indeed have control over the accounts they claim to.

- -

If you already have a public key (or its fingerprint) with OpenPGP identity proofs you would like to use to verify, great! If not, you could use the following fingerprint:

-9f0048ac0b23301e1f77e994909f6bd6f80f485d - -

Verify proofs

- -

Open the keyoxide.org/proofs page and paste the fingerprint in the Email / key id / fingerprint field. Scroll down and press the VERIFY PROOFS button.

-

You now see a list of domains and/or accounts on platforms for which the owner of the public key claims to have an control over.

-

If the last link on a line says proof, the proof could not be verified for any number of reasons but Keyoxide still allows to check the supposed proof and decide for yourself whether you trust the claim. If the

-

If the last link on a line says verified, the owner of the public key indeed has shown beyond doubt that it has control over the domain or account.

- -

Your turn

- -

If you'd like to add decentralized OpenPGP identity proofs to your key, go to the guides and find the right one for your platform of choice. You may find the process to be remarkably easy.

- -

If your platform is not in the list of guides, it's not supported yet. See the contributing guide for more information on how to get that platform supported.

diff --git a/views/guides/proofs.title.php b/views/guides/proofs.title.php deleted file mode 100644 index 24f9eee..0000000 --- a/views/guides/proofs.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Verifying identity proofs diff --git a/views/guides/reddit.content.php b/views/guides/reddit.content.php deleted file mode 100644 index 241e9db..0000000 --- a/views/guides/reddit.content.php +++ /dev/null @@ -1,58 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Reddit proof to your OpenPGP keys.

- -

Post a Reddit proof message

- -

Log in to www.reddit.com and create a new post with the following text (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this Reddit account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

After posting, copy the link to the post.

- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to update with the link to the post copied above):

-proof@metacode.biz=https://www.reddit.com/user/USERNAME/comments/123123/TITLE/ - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Reddit account.

diff --git a/views/guides/reddit.title.php b/views/guides/reddit.title.php deleted file mode 100644 index 8905a41..0000000 --- a/views/guides/reddit.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Reddit proof diff --git a/views/guides/self-hosting-keyoxide.content.php b/views/guides/self-hosting-keyoxide.content.php deleted file mode 100644 index c648667..0000000 --- a/views/guides/self-hosting-keyoxide.content.php +++ /dev/null @@ -1,34 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Though it's not a fully supported use case yet, anyone can take the source code and put it on their own server. The idea is that Keyoxide.org is not special in itself. After all, all the heavy lifting is done by the browser. So the role of any individual Keyoxide server is to get the tool in the hands of the end user.

- -

The few supporting roles the server has can easily be performed by any other (PHP) server.

- -

So if you like the project but perhaps are mistrusting of servers of others, especially when it comes to keypairs, here's the source code and put it on your own server. Thanks for using the project!

diff --git a/views/guides/self-hosting-keyoxide.title.php b/views/guides/self-hosting-keyoxide.title.php deleted file mode 100644 index 7a68760..0000000 --- a/views/guides/self-hosting-keyoxide.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Self-hosting Keyoxide diff --git a/views/guides/service-provider.content.php b/views/guides/service-provider.content.php deleted file mode 100644 index 4cb2adf..0000000 --- a/views/guides/service-provider.content.php +++ /dev/null @@ -1,42 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

If you have:

- -
    -
  • a website that allows users to create accounts
  • -
  • a messaging platform
  • -
  • any other type of service that may require users to prove their online identity
  • -
- -

Then you may be interested in supporting decentralized identity proofs as they allow your users to securely prove their identity across services. Take a look at this [example](guides/service-provider) to find out how two persons can gain more confidence in knowing they are talking to and interacting with the right person in an online world where impersonating is all too easy.

- -

The internet could be a slightly safer place if your service allowed your users to prove their identity. All the service needs to do is make a JSON file available with basic details about the user and set the correct CORS headers.

- -

The documentation on what is precisely required is provided by the original creator of decentralized OpenPGP identity proofs.

diff --git a/views/guides/service-provider.title.php b/views/guides/service-provider.title.php deleted file mode 100644 index f6dd961..0000000 --- a/views/guides/service-provider.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Are you a service provider? diff --git a/views/guides/twitter.content.php b/views/guides/twitter.content.php deleted file mode 100644 index 85ab198..0000000 --- a/views/guides/twitter.content.php +++ /dev/null @@ -1,58 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized Twitter proof to your OpenPGP keys.

- -

Post a Twitter proof message

- -

Log in to twitter.com and compose a new tweet with the following text (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this Twitter account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

After posting, copy the link to the tweet.

- -

Update the PGP key

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to update with the link to the tweet copied above):

-proof@metacode.biz=https://twitter.com/USERNAME/status/1234567891234567891 - -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a verified Twitter account.

diff --git a/views/guides/twitter.title.php b/views/guides/twitter.title.php deleted file mode 100644 index 7dec5fa..0000000 --- a/views/guides/twitter.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a Twitter proof diff --git a/views/guides/verify.content.php b/views/guides/verify.content.php deleted file mode 100644 index 9b67a1f..0000000 --- a/views/guides/verify.content.php +++ /dev/null @@ -1,81 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's see how to verify an OpenPGP signature.

- -

Obtain a signature

- -

If you already have a signature you would like to verify, great! If not, let's use the following signature for the guide:

------BEGIN PGP SIGNED MESSAGE----- -
Hash: SHA256 -
-
I like pineapple. -
-----BEGIN PGP SIGNATURE----- -
-
iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mVUPHHlhcm1vQHlh -cm1vLmV1AAoJEDc2f0r0CHrRQXIP/08uza9zOtmZXv5K+uPGVzDKwkgPgZJEezX7 -6iQ358f1pjSRvYfQ5aB13k2epUHoqCKArMYu1zPqxhvLvvAvp8uOHABnr9NGL3El -u7UUgaeUNHkr0gxCKEq3p81abrrbbWveP8OBP4RyxmaFx13Xcj7mfDluiBHmjVvv -WU09EdH9VPlJ7WfZ+2G2ZZDHuE5XiaeP7ocugTxXXLkp33zwpDX0+ZuCIXM6fQGe -OccSffglFPdNBnfasuuxDWxTQPsEbWGOPJV+CAPmBDeApX+TBF9bovO3hw4Uozk2 -VT7EAy8Hb0SOrUb3UNGxzoKv++5676IxyB4JXX0Tr9O4ZxhO8o9pEEHwirtn/J1+ -MWven4gVlWM/6bMeUqx6ydyNc2nqF5059yfRmwGMlp09x82G4x1bcf6aDZ+5njDG -fS5T2OpXRIkZHJx8BhmZjsxiDR0KV44zwHpt06+96ef3EDWB0BcP6M+a5Rtc33zf -irRmQd2M6RLyXCYtdGIiiAFRuomw802U4F0P4LwVrZdbGA6ObqBv1k8BUFCMbMz8 -Ab4hF7kO4z0Vh3JaKzcHey0pOzdNCPpAHZ51sAoAnFDM4PdMBgQxxVweCMu4KYMZ -FN8sNn42oY/b7gDmwCelVhgD+rvUn/a8+B7CDmCp+wIquyrjrTt00voATcb+ZPMJ -
pTXJ/NcM -
=rqTX -
-----END PGP SIGNATURE----- -
- -

Copy the above signature.

- -

Verify the signature

- -

Open the keyoxide.org/verify page and paste the signature in the corresponding field. Scroll down and press the VERIFY SIGNATURE button.

-

Keyoxide lets you know the signature was verified and signed by a certain person.

- -

Verify the signature against a specific public key

- -

Sometimes, you want to know if a specific person or public key was used to create a signature. In this case, let's figure out if the message was signed by Yarmo's public key or his friend Wiktor's public key.

- -

Copy the following fingerprint:

-653909A2F0E37C106F5FAF546C8857E0D8E8F074 -

Paste it in the Email / key id / fingerprint field under Public Key (3: HKP server) and press the big button again. It could not be verified. Guess it wasn't Wiktor who signed that message.

- -

Now, copy the following fingerprint:

-9f0048ac0b23301e1f77e994909f6bd6f80f485d -

Paste it in the same field and press the big button again. It did verify! It was Yarmo all along.

- -

Going further

- -

You could try using different mechanisms of fetching keys, such as web key directory or copy-pasting a plaintext public key.

- -

If you'd like to sign messages using PGP, you must first learn the fundamentals of PGP and how to generate and handle your own keypair.

diff --git a/views/guides/verify.title.php b/views/guides/verify.title.php deleted file mode 100644 index 0f14f40..0000000 --- a/views/guides/verify.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Verifying a signature diff --git a/views/guides/web-key-directory.content.php b/views/guides/web-key-directory.content.php deleted file mode 100644 index 16b18ef..0000000 --- a/views/guides/web-key-directory.content.php +++ /dev/null @@ -1,64 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Web key directory

- -

Web key directory or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: username@domain.org.

- -

The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, openpgp.org have made a WKD-as-a-service. Read more at the end of the guide.

- -

It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.

- -

The Direct setup

- -

To make your keys available via WKD using the Direct setup, you'll need two paths on your server:

- -

https://domain.org/.well-known/openpgpkey/policy: this is an empty file

-

https://domain.org/.well-known/openpgpkey/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)

- -

The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a small utility to do this for you.

- -

So if you wish to make your key available as jimothy@dm.com, according to the small utility, the URL would become:

-https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m - -

The Advanced setup

- -

While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:

- -

https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy: this is an empty file

-

https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)

- -

Indeed, quite similar to the Direct setup, except for the openpgpkey subdomain and the additional domain.org in the path of the public key.

- -

The public key for jimothy@dm.com would be available at:

-https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m - -

WKD-as-a-service

- -

In case hosting is problem, Openpgp.org has a handy WKD-as-a-service.

diff --git a/views/guides/web-key-directory.title.php b/views/guides/web-key-directory.title.php deleted file mode 100644 index b83b792..0000000 --- a/views/guides/web-key-directory.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Uploading keys using web key directory diff --git a/views/guides/xmpp.content.php b/views/guides/xmpp.content.php deleted file mode 100644 index a32a397..0000000 --- a/views/guides/xmpp.content.php +++ /dev/null @@ -1,72 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -

Let's add a decentralized XMPP proof to your OpenPGP keys.

- -

Add a message to your XMPP vCard

- -

Using a XMPP client that supports editing the vCard (such as Dino and Gajim), append the following message to the About section (make sure to replace FINGERPRINT):

-This is an OpenPGP proof that connects my OpenPGP key to this XMPP account. -For details check out https://keyoxide.org/guides/openpgp-proofs -

[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
- -

Update the PGP key (basic edition)

- -

First, edit the key (make sure to replace FINGERPRINT):

-gpg --edit-key FINGERPRINT - -

Add a new notation:

-notation - -

Enter the notation (make sure to replace XMPP-ID):

-proof@metacode.biz=xmpp:XMPP-ID - -

The XMPP-ID looks something like an email address: user@domain.org.

- -

Save the key:

-save - -

Upload the key to WKD or use the following command to upload the key to keys.openpgp.org (make sure to replace FINGERPRINT):

-gpg --keyserver hkps://keys.openpgp.org --send-keys FINGERPRINT - -

And you're done! Reload your profile page, it should now show a XMPP account.

- -

Update the PGP key (OMEMO edition)

- -

XMPP communication can be end-to-end encrypted with OMEMO. Verifying OMEMO fingerprints is essential to trust your communication and keep it safe from Man-in-the-Middle attacks.

- -

Keyoxide makes the fingerprint verification process easy for all. Add a special identity proof that not only contains your XMPP-ID but also the fingerprints of all your OMEMO keys.

- -

If your XMPP identity proof is verified, a QR code is shown. Anyone can scan this QR code using XMPP apps like Conversations (free on F-Droid) to not only add you as a contact, but also verify your OMEMO keys with the highest level of trust.

- -

Making this identity proof yourself can be a tad difficult when using clients like Gajim, but luckily for us, Conversations can directly generate the proof by going to Account details > Share > Share as XMPP URI. The resulting URI should look something like:

- -xmpp:user@domain.org?omemo-sid-123456789=A1B2C3D4E5F6G7H8I9... - -

To take advantage of the easy and secure XMPP identity proof including OMEMO fingerprints, follow the basic edition guide above but replace XMPP-ID with the URI obtained through the Conversations app.

diff --git a/views/guides/xmpp.title.php b/views/guides/xmpp.title.php deleted file mode 100644 index f27dbf7..0000000 --- a/views/guides/xmpp.title.php +++ /dev/null @@ -1,30 +0,0 @@ -. -// -// Also add information on how to contact you by electronic and paper mail. -// -// If your software can interact with users remotely through a computer network, -// you should also make sure that it provides a way for users to get its source. -// For example, if your program is a web application, its interface could display -// a "Source" link that leads users to an archive of the code. There are many -// ways you could offer source, and different solutions will be better for different -// programs; see section 13 for the specific requirements. -// -// You should also get your employer (if you work as a programmer) or school, -// if any, to sign a "copyright disclaimer" for the program, if necessary. For -// more information on this, and how to apply and follow the GNU AGPL, see . -?> -Adding a XMPP proof