@freddyym OPSV was the precursor. I wanted to make that to get acquainted with the tech, assuming it would take long for me to build that could even come close to offering a foss alternative to keybase. Little did I know, I went a lot smoother than that! Many thanks to @wiktor !

@nicolapcweek94 that is actually the topic of my next blog post! Loading time is great :) need to do more worldwide measurements, but I got 0.3 seconds for full load!

@yarmo ah, looking forward to reading that then! I'll sit here setting up my 🔑 in the meantime

@nicolapcweek94 if you need any help, let me know! I personally found the process of adding decentralized identity proofs surprisingly easy :)

@yarmo The process seems easy enough, but the website seems to not like my key very much :(
https://keyoxide.org/147CFCC6F3332883590635951742C5610207C38B

says "Error: No public keys could be fetched from the HKP server.", but https://keys.openpgp.org/search?q=147CFCC6F3332883590635951742C5610207C38B correctly lists my (newly uploaded) key... maybe it needs a bit of time to sync on the backend?

@nicolapcweek94 have you just uploaded it for the first time? You might have received an email where you need to confirm the upload.

If not, let's figure this out

@yarmo I have, and I'm apparently not checking my email often enough! Just had to approve the publication of the key... wooops

back to adding proofs I go, thanks!

@nicolapcweek94 there you go, it works \o/ woot woot

@ggarron you mean indieauth? I could help you with that :)

@yarmo yes. That is what I mean.

I never payed attention to signed messages

I just know there is a private and a public key. But did not find a good place to read about the whole thing.

I need to learn a lot.

Any help is always appreciated. Thanks.

@ketmorco thanks, that means a lot! Well, it's open source, if you have ideas, I would love to hear them!

@jiminycricket thanks, that means a lot!

@ignaloidas thanks :)

Allow me to disagree, I do believe it has a place and serves purposes, one being a vessel for distributed online identities. Nothing about the pgp key model makes it inadequate for that. Well, I believe. What would be your counter argument?

I am curious: you promote your keybase account on your mastodon profile. They also use pgp for everything. Would you consider their product to be flawed in a similar way?

@yarmo Keybase doesn't use PGP besides advertising PGP keys.

The problem with PGP is that identity is being tied with a single key. That you probably need to move, since most people have more than one device now. And you often need to sync which keys you have certified between devices. There is a problem there. Key material moves. It is significantly easier to compromise keys while they are being moved than when they are staying where they are. And this is what Keybase gets right.

@ignaloidas ok, key material moving is not ideal, true.

So how does keybase get that right? By being a centralized server?

@yarmo Have you even used it or read up on how it works? It has per-device keys. Keys don't move. At all. It being centralized doesn't change anything in this context.

@ignaloidas I have used it. Long time ago, sorry, I didn't remember.

Now I do, with the profile page showing you your devices, including the paper backup. I still have mine :)

Alright, yeah. Good points you make overall. Food for thought. I'll still continue with this, as I am not keen on using a vc-funded company bought by a shitty company that obeys Beijing for my cryptography. No matter the tech difference. No company owns my keys.

@ignaloidas also something I discussed with others: the name has no reference to PGP on purpose. If better tech comes along, I can adopt that. Not married to PGP in any way.

@Shamar (almost) fully in the browser. Some like it, some don't.

"Almost" because websites fight you a little bit when trying to prove someone's identity. In these rare cases, the server handles the verification process.

Other than that, everything related to encrypt and signature verification, all happens in the browser!

@yarmo

Fine thanks!

A question: did you consider to separate the crypto functionality that can be executed in the browser and the identity related ones in two different applications?

While I don't like crypto done in Javascript, I think a clear separation of concerns would reduce the attack surface.

@Shamar Those concerns are valid. There are definitely plans to make a CLI tool for the distributed identity proofs. I suppose such a tool could be the backbone of the proof verification displayed online. Would that solve your concerns or is even more separation needed?

@yarmo

Actually a clear separation between encryption&signing on one side and identity management in the other would allow to separate packaging, deployment and upgrade.

For example you could install the browser-only system on a server that do not provide any serverside scripting.

This would reduce the attack surface both for the server and for the visitor.

It's not safe(TM) anyway, but it could be useful in some self-hosted system.

@Shamar right! So I should make an API, basically? Every website, my own or anyone else's, can request to verify the proofs of a key. That's the idea right? I could see that happening

@Matthieu yes! Definitely! It's the guide I want to write most and I keep reading online guides and talk to people about it, because it's a very fundamental guide. And I don't want to mess it up, basically 😅 but it should come soon enough. Including a section about "laptop" keys

@yarmo very nice, I'll keep watching (:

What do you mean by "laptop" keys ?

@Matthieu "laptop" keys are secret keys without the master key. You can use them on your laptop and if they accidentally get compromised, it's not the end of the world. You revoke those keys and generate new keys based on the master key.

If the master key gets compromised, you're in bigger trouble. You'll have to revoke and start again with a fresh key

@yarmo oh this is very interesting !

@steko @codeberg yes, this is still stuff that I need to make clearer! Glad you found it out by yourself!

If an email is detected, keyoxide automatically goes into WKD mode and will try to download your key directly from your website. When specifying HKP in the url, it now knows to use it as query for keys.openpgp.org instead.

This happens when you try to keep the profile URLs as short as possible for everyone 😅

@yarmo @codeberg I think my domain iosa.it is setup with WKS at DNS level and it should point to keys.openpgp.org - that's why I was surprised. But straight WKD is much easier 🙂

@skobkin yes! This is correct. And from the feedback I've gathered, this is a replacement for enough features (only three) for many people to "switch". Turns out encryption, signature verification and identity are the core features most.

But you are right! If you enjoy keybase's chat, git and/or wallet, keyoxide is not for you! That's why we should always have choice :)

@yarmo I agree. But I think that open (and free) projects should not use deceptive marketing like some commercial (and proprietary) products do.
Just IMHO though.

@skobkin agreed and I hope you'll believe me when I say that this was not my intention. I'm doing all the programming, writing guides and marketing on my own. I'll update the "keybase migration" guide to more clearly reflect that I'm only replacing certain aspects. The FAQ already states the lack of certain functions

@yarmo Yes, I saw keybase-related page on the site itself. I was just somewhat surprised by the post in Mastodon :)