Follow

It's finally here, teasing is over:

I'm excited to launch today!

yarmo.eu/post/keyoxide

solution for easy encryption, signature verification and decentralized identity proofs!

I've been in favor of but I never had something to offer as an alternative. Now I do :)

@freddyym OPSV was the precursor. I wanted to make that to get acquainted with the tech, assuming it would take long for me to build that could even come close to offering a foss alternative to keybase. Little did I know, I went a lot smoother than that! Many thanks to @wiktor !

@yarmo Great work! Looks awesome too without taking 15 minutes to load like most webpages today 👌

@nicolapcweek94 that is actually the topic of my next blog post! Loading time is great :) need to do more worldwide measurements, but I got 0.3 seconds for full load!

@yarmo ah, looking forward to reading that then! I'll sit here setting up my 🔑 in the meantime

@nicolapcweek94 if you need any help, let me know! I personally found the process of adding decentralized identity proofs surprisingly easy :)

@yarmo The process seems easy enough, but the website seems to not like my key very much :(
keyoxide.org/147CFCC6F33328835

says "Error: No public keys could be fetched from the HKP server.", but keys.openpgp.org/search?q=147C correctly lists my (newly uploaded) key... maybe it needs a bit of time to sync on the backend?

@nicolapcweek94 have you just uploaded it for the first time? You might have received an email where you need to confirm the upload.

If not, let's figure this out

@yarmo I have, and I'm apparently not checking my email often enough! Just had to approve the publication of the key... wooops

back to adding proofs I go, thanks!

@yarmo
What a coincidence, I was last night reading about gnupg and how to log with your site using your private key.
I am still not able to do it.
And you now came with this related :)

@ggarron you mean indieauth? I could help you with that :)

@yarmo yes. That is what I mean.

I never payed attention to signed messages

I just know there is a private and a public key. But did not find a good place to read about the whole thing.

I need to learn a lot.

Any help is always appreciated. Thanks.

@yarmo I have wanted to do a similar thing and this is lovely

@ketmorco thanks, that means a lot! Well, it's open source, if you have ideas, I would love to hear them!

@yarmo Honestly, I applaud the attempt, but sadly it's not enough. PGP key model IMO is fundamentally broken and anything new based on it will carry the same problems that it has.

@ignaloidas thanks :)

Allow me to disagree, I do believe it has a place and serves purposes, one being a vessel for distributed online identities. Nothing about the pgp key model makes it inadequate for that. Well, I believe. What would be your counter argument?

I am curious: you promote your keybase account on your mastodon profile. They also use pgp for everything. Would you consider their product to be flawed in a similar way?

@yarmo Keybase doesn't use PGP besides advertising PGP keys.

The problem with PGP is that identity is being tied with a single key. That you probably need to move, since most people have more than one device now. And you often need to sync which keys you have certified between devices. There is a problem there. Key material moves. It is significantly easier to compromise keys while they are being moved than when they are staying where they are. And this is what Keybase gets right.

@ignaloidas ok, key material moving is not ideal, true.

So how does keybase get that right? By being a centralized server?

@yarmo Have you even used it or read up on how it works? It has per-device keys. Keys don't move. At all. It being centralized doesn't change anything in this context.

@ignaloidas I have used it. Long time ago, sorry, I didn't remember.

Now I do, with the profile page showing you your devices, including the paper backup. I still have mine :)

Alright, yeah. Good points you make overall. Food for thought. I'll still continue with this, as I am not keen on using a vc-funded company bought by a shitty company that obeys Beijing for my cryptography. No matter the tech difference. No company owns my keys.

@ignaloidas also something I discussed with others: the name has no reference to PGP on purpose. If better tech comes along, I can adopt that. Not married to PGP in any way.

@yarmo I’m a bit confused, is this a different implementation of @wiktor’s OpenPGP Proofs? If so, can you talk about similarities and differences for people like me who used Wiktor’s implementation?

alexschroeder.ch/openpgp/#0xdf

@kensanata @wiktor it's indeed one and the same tech! Since there's no library (yet), I had to write my own implementation but using one or the other will yield very similar results! Thanks to Wiktor helping the past wee \o/

I did try and improve:
- added lobste.rs proof support
- reddit proof works in all browsers now
- added twitter proof support

And a lot more on the way. I truly believe in the concept. CLI, libraries. It's a big side project, but worth it :)

@yarmo

Interesting tool, good for self-hosting.

Where does cryptography happen? On the browser or on the server?

@Shamar (almost) fully in the browser. Some like it, some don't.

"Almost" because websites fight you a little bit when trying to prove someone's identity. In these rare cases, the server handles the verification process.

Other than that, everything related to encrypt and signature verification, all happens in the browser!

@yarmo

Fine thanks!

A question: did you consider to separate the crypto functionality that can be executed in the browser and the identity related ones in two different applications?

While I don't like crypto done in Javascript, I think a clear separation of concerns would reduce the attack surface.

@Shamar Those concerns are valid. There are definitely plans to make a CLI tool for the distributed identity proofs. I suppose such a tool could be the backbone of the proof verification displayed online. Would that solve your concerns or is even more separation needed?

@yarmo

Actually a clear separation between encryption&signing on one side and identity management in the other would allow to separate packaging, deployment and upgrade.

For example you could install the browser-only system on a server that do not provide any serverside scripting.

This would reduce the attack surface both for the server and for the visitor.

It's not safe(TM) anyway, but it could be useful in some self-hosted system.

@Shamar right! So I should make an API, basically? Every website, my own or anyone else's, can request to verify the proofs of a key. That's the idea right? I could see that happening

@yarmo I think your guides sections lacks a "how to generate a robustPGP key" (:

By the way Keyoxide is a very great work ! I hope it will have the success it deserve !!

@Matthieu yes! Definitely! It's the guide I want to write most and I keep reading online guides and talk to people about it, because it's a very fundamental guide. And I don't want to mess it up, basically 😅 but it should come soon enough. Including a section about "laptop" keys

@yarmo very nice, I'll keep watching (:

What do you mean by "laptop" keys ?

@Matthieu "laptop" keys are secret keys without the master key. You can use them on your laptop and if they accidentally get compromised, it's not the end of the world. You revoke those keys and generate new keys based on the master key.

If the master key gets compromised, you're in bigger trouble. You'll have to revoke and start again with a fresh key

@yarmo neat! I tried it right away :)

Unfortunately, it doesn't seem to pick up my mastodon proof... the notation looks correct.

keyoxide.org/B9762B3ED6D832409

(the masto proof is on this account's profile page)

@yarmo
It looks really cool as you described it! I'm looking right now, I'll probably often use it.

@steko @codeberg yes, this is still stuff that I need to make clearer! Glad you found it out by yourself!

If an email is detected, keyoxide automatically goes into WKD mode and will try to download your key directly from your website. When specifying HKP in the url, it now knows to use it as query for keys.openpgp.org instead.

This happens when you try to keep the profile URLs as short as possible for everyone 😅

@yarmo @codeberg I think my domain iosa.it is setup with WKS at DNS level and it should point to keys.openpgp.org - that's why I was surprised. But straight WKD is much easier 🙂

@yarmo
But it's not an alternative to Keybase. It's alternative to couple of Keybase features.

It's like I'd say that my cp.skobk.in/ is an alternative to Github (not even an alternative to gist.github.com IRL).

@skobkin yes! This is correct. And from the feedback I've gathered, this is a replacement for enough features (only three) for many people to "switch". Turns out encryption, signature verification and identity are the core features most.

But you are right! If you enjoy keybase's chat, git and/or wallet, keyoxide is not for you! That's why we should always have choice :)

@yarmo I agree. But I think that open (and free) projects should not use deceptive marketing like some commercial (and proprietary) products do.
Just IMHO though.

@skobkin agreed and I hope you'll believe me when I say that this was not my intention. I'm doing all the programming, writing guides and marketing on my own. I'll update the "keybase migration" guide to more clearly reflect that I'm only replacing certain aspects. The FAQ already states the lack of certain functions

@yarmo Yes, I saw keybase-related page on the site itself. I was just somewhat surprised by the post in Mastodon :)

@yarmo Is this an appropriate venue for a bug report?

Visiting keyoxide.org/ed@edavies.me.uk gets my key via WKD fine (though I'm a bit puzzled where it gets the picture from, my current key doesn't have a picture AFAIK).

But following the verify link goes to keyoxide.org/verify/wkd/ed@eda with an underscore instead of the first dot in the domain both in the URL and in the filled-in email address so the verify fails with “invalid e-mail address”. Change to a dot and it verifies a .asc signature fine.

@edavies @yarmo
> I'm a bit puzzled where it gets the picture from

gravatar.
It would be better imho to show picture from key. Or at least to support ravatar...

btw, I think the WKD tool at keyoxide.org/util/wkd gives wrong values...

great work 😎 👍

@fabrixxm @edavies

- picture from key: best solution indeed! In the works 😉
- ravatar: don't know yet! Tried libravatar but got mixed results. Really wouldn't mind leaving gravatar…
- the WKD gives wrong values: do you have a specific example? I know it gives the right results for my name

@yarmo @edavies
nevermind.. I was writting *my* username wrong 🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.