What a coincidence, I was last night reading about gnupg and how to log with your site using your private key.
I am still not able to do it.
And you now came with this related :)
@yarmo yes. That is what I mean.
I never payed attention to signed messages
I just know there is a private and a public key. But did not find a good place to read about the whole thing.
I need to learn a lot.
Any help is always appreciated. Thanks.
@ketmorco thanks, that means a lot! Well, it's open source, if you have ideas, I would love to hear them!
@yarmo Honestly, I applaud the attempt, but sadly it's not enough. PGP key model IMO is fundamentally broken and anything new based on it will carry the same problems that it has.
@ignaloidas thanks :)
Allow me to disagree, I do believe it has a place and serves purposes, one being a vessel for distributed online identities. Nothing about the pgp key model makes it inadequate for that. Well, I believe. What would be your counter argument?
I am curious: you promote your keybase account on your mastodon profile. They also use pgp for everything. Would you consider their product to be flawed in a similar way?
@yarmo Keybase doesn't use PGP besides advertising PGP keys.
The problem with PGP is that identity is being tied with a single key. That you probably need to move, since most people have more than one device now. And you often need to sync which keys you have certified between devices. There is a problem there. Key material moves. It is significantly easier to compromise keys while they are being moved than when they are staying where they are. And this is what Keybase gets right.
@ignaloidas ok, key material moving is not ideal, true.
So how does keybase get that right? By being a centralized server?
@yarmo Have you even used it or read up on how it works? It has per-device keys. Keys don't move. At all. It being centralized doesn't change anything in this context.
@ignaloidas I have used it. Long time ago, sorry, I didn't remember.
Now I do, with the profile page showing you your devices, including the paper backup. I still have mine :)
Alright, yeah. Good points you make overall. Food for thought. I'll still continue with this, as I am not keen on using a vc-funded company bought by a shitty company that obeys Beijing for my cryptography. No matter the tech difference. No company owns my keys.
@ignaloidas also something I discussed with others: the name has no reference to PGP on purpose. If better tech comes along, I can adopt that. Not married to PGP in any way.
Interesting tool, good for self-hosting.
Where does cryptography happen? On the browser or on the server?
@Shamar (almost) fully in the browser. Some like it, some don't.
"Almost" because websites fight you a little bit when trying to prove someone's identity. In these rare cases, the server handles the verification process.
Other than that, everything related to encrypt and signature verification, all happens in the browser!
A question: did you consider to separate the crypto functionality that can be executed in the browser and the identity related ones in two different applications?
@Shamar Those concerns are valid. There are definitely plans to make a CLI tool for the distributed identity proofs. I suppose such a tool could be the backbone of the proof verification displayed online. Would that solve your concerns or is even more separation needed?
Actually a clear separation between encryption&signing on one side and identity management in the other would allow to separate packaging, deployment and upgrade.
For example you could install the browser-only system on a server that do not provide any serverside scripting.
This would reduce the attack surface both for the server and for the visitor.
It's not safe(TM) anyway, but it could be useful in some self-hosted system.
@Shamar right! So I should make an API, basically? Every website, my own or anyone else's, can request to verify the proofs of a key. That's the idea right? I could see that happening
@yarmo I think your guides sections lacks a "how to generate a robustPGP key" (:
By the way Keyoxide is a very great work ! I hope it will have the success it deserve !!
@Matthieu yes! Definitely! It's the guide I want to write most and I keep reading online guides and talk to people about it, because it's a very fundamental guide. And I don't want to mess it up, basically 😅 but it should come soon enough. Including a section about "laptop" keys
@Matthieu "laptop" keys are secret keys without the master key. You can use them on your laptop and if they accidentally get compromised, it's not the end of the world. You revoke those keys and generate new keys based on the master key.
If the master key gets compromised, you're in bigger trouble. You'll have to revoke and start again with a fresh key
@yarmo neat! I tried it right away :)
Unfortunately, it doesn't seem to pick up my mastodon proof... the notation looks correct.
(the masto proof is on this account's profile page)
If an email is detected, keyoxide automatically goes into WKD mode and will try to download your key directly from your website. When specifying HKP in the url, it now knows to use it as query for keys.openpgp.org instead.
This happens when you try to keep the profile URLs as short as possible for everyone 😅
@skobkin yes! This is correct. And from the feedback I've gathered, this is a replacement for enough features (only three) for many people to "switch". Turns out encryption, signature verification and identity are the core features most.
But you are right! If you enjoy keybase's chat, git and/or wallet, keyoxide is not for you! That's why we should always have choice :)
@yarmo I agree. But I think that open (and free) projects should not use deceptive marketing like some commercial (and proprietary) products do.
Just IMHO though.
@skobkin agreed and I hope you'll believe me when I say that this was not my intention. I'm doing all the programming, writing guides and marketing on my own. I'll update the "keybase migration" guide to more clearly reflect that I'm only replacing certain aspects. The FAQ already states the lack of certain functions
@yarmo Yes, I saw keybase-related page on the site itself. I was just somewhat surprised by the post in Mastodon :)
@yarmo Is this an appropriate venue for a bug report?
Visiting https://email@example.com gets my key via WKD fine (though I'm a bit puzzled where it gets the picture from, my current key doesn't have a picture AFAIK).
But following the verify link goes to https://keyoxide.org/verify/wkd/ed@edavies_me.uk with an underscore instead of the first dot in the domain both in the URL and in the filled-in email address so the verify fails with “invalid e-mail address”. Change to a dot and it verifies a .asc signature fine.
@yarmo That's what I get too. But what does the “verify signature” link point to? For me it points to https://keyoxide.org/verify/wkd/ed@edavies_me.uk (with the underscore). Similar with the encrypt message link.
Firefox 78.0.1 on an Ubuntu 20.04 desktop.
Unfortunately Chromium seems to be borked on this machine so I can't try with that.
@edavies I found it, completely an error on my part! Code I once used during debugging had remained
If you reload the profile page, it should fix the links
@yarmo This looks good, thanks for making it. There's a great need for projects like this, improvements in usability of strong crypto for average users. Simple is not easy, as they say.
Do you have a simple grafic what it does? I use gpg and generate keypairs sometimes and don't know how this would help me. Something like a grafical toolchain?
@yarmo Great page outlining the tool, what it does and what it doesn't do!
Will have to give it a go, thanks for the post.
@yarmo I thought a lot about online identity verification and saw only Keybase, however I am not big fan of Zoom. Thx for your work, it is fabulous.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.