fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

#weboftrust

2 posts2 participants0 posts today
Replied to Ayzee 🏳️‍⚧️

@vlpatton The classic method is a key signing party. Get a bunch of people in the same room with legal photo identification and their fingerprints, and go around the room checking everyone else’s ID. Then, go home and sign everyone’s keys. Send the signed key to the key owner. Import signed keys and collect signatures!

Key servers sharing signatures haven’t been a thing since the attacks years ago. Any modern keyserver will strip the signatures, so you’ll have to distribute your key with signatures some other way (WKD, DNS, a file on your web site, etc.).

CAcert will do PGP key endorsements if you get enough assurances on their platform. Everyone with a signed key has had two forms of ID checked by two people. However, their infrastructure can only work on old-school RSA keys right now (they’re working on modernizing).

#PGP#GnuPG#CAcert

how does one perhaps acquire signatures for their PGP key? I'm wanting to build a web of trust, but I'm unsure if there's anyone I know personally (and especially in-person) who would be able to sign my keys...

fwiw, I use my keys to sign Git commits, mostly.

Replied in thread

@Sascha

Ein ähnliches Beispiel ist das Recht auf Anonymität: Wichtig um Missstände aufzudecken ("Whistle-Blowing"), wird aber oft für Hetze und Desinformation benutzt.

→ Es braucht mittelfristig ein kluges Management von Vertrauen im Internet.

Das #WebOfTrust [1] hat das Problem im Bereich #PGP-basierter E-Mail-Authentizität eigentlich schon gelöst. Sowas ähnliches bräuchte es (zeitgemäß umgesetzt) für allgemeine Informationen.

[1] de.wikipedia.org/wiki/Web_of_T

de.wikipedia.orgWeb of Trust – Wikipedia

I decree that #mozilla should create a #weboftrust mechanism. Kinda of like what keybase used to be. As way to very identity others so you can safety chat, share, exchange, etc.

In a world of bullshit ID (Azure, Google, Amazon, Apple, Etc) having an ID that wasn't tied to a billionaire corp, g-men, or government name it would be a valued service. Offer a premium version that makes it supercharged. place it behind firefox ID.

xoxo

Just a Brainfart:

How about a verify button next to the fav button to a post. People who verified the content of a post can check this.

One can tag people/accounts as 'trustworthy'.

Toots then be shown differently:
* gray '?' when validity is unknown
* blue :verified: when someone trusted verified it
* green checkmark when oneself verified it

In account settings one could configure
a warning/error when sharing unverified content.

Building a #WebOfTrust on #mastodon against #fakenews.

We made a WoT thing…
https://grapevine.my
Checkout this client demo using the GrapeRank algorithm. It scans the (almost) entire Nostr network to find people “close to you” that may NOT be on your radar.

The GrapeRank algorithm was designed by @e5272de9 as a better way to do “Web of Trust”. Last year, he and I worked together to refine it and develop this demo of its capabilities. The algo itself is open source and configurable (in what kind of events it pulls from Nostr and how to interpret these for calculating GrapeRank scores) and has its own repository.
https://github.com/Pretty-Good-Freedom-Tech/graperank-nodejs

If you are interested in developing or using algorithms on Nostr, please take a look at this demo (and repo) and share with others.

Freedom of choice is powerless without a thriving and open market of choices. This is (part of) our contribution to this market.

#wot
#weboftrust
#nostrdev
#algo
#foss

Weekly output: Internet founders in D.C., Tim Berners-Lee at Web Summit, Bluesky account-verification advice

This holiday-shortened week still had a lot of work–just not all the kind that yielded bylines, in some cases not the kind that will yield bylines this year.

11/25/2024: Internet Founders: Open Architectures Are Best, But Big Tech Makes It Difficult, PCMag

As I wrote last week, it’s a treat seeing Internet pioneers speak about how their collective invention has been working out and what we ought to be doing with it.

11/27/2024: The man who gave us the web is building a better digital wallet, Fast Company

My Fast Company editor Harry McCracken asked if I wanted to join him to quiz the inventor of the Web at Web Summit, and I quickly said I’d clear my schedule for that. Like two years ago, Harry asked most of the questions and then wrote up our conversation.

11/29/2024: Real or Imposter? How to Verify That a Bluesky Account Is Legit, PCMag

My inspiration for this how-to came from seeing some bozo try to impersonate Rep. Don Beyer (D.-Va.) on Bluesky, then wondering why my congressman had not domain-verified his account with a house.gov handle, then personally shaming Bay Area Rapid Transit into tweeting its Bluesky handle from its verified X account (BART has since domain-verified its account). My editors then updated the post Sunday with details from posts Friday afternoon by Bluesky’s safety account about how the platform is dealing with this impersonation problem–including a recognition that “users want more ways to verify their identity beyond domain verification.”

If you know me, you know I am an Invisible Internet Project [#I2P & @i2p] enthusiast. (See the geti2p.net/ #homepage.) I2P is similar to Tor, but differs in that _every_ client instance of the I2P software, while connected to the Internet, _participates in routing traffic_ around Internet blockages.

I just read diva.exchange/en/privacy/i2p-i and came across a link to a #SoftwareLibrary for the "SAM API" of I2P. In the past, I had thought the SAM #API cumbersome and clunky (perhaps this was due to the format of the documentation).

The diva.exchange/ team have created a #Typescript wrapper for the I2P SAM API. It seems that Diva Exchange uses #I2PD (the #CPlusPlus variety of the available I2P applications) rather than the reference #Java implementation.

**If you are affiliated with diva.exchange/, please reach out to the editors to include back-links to the I2P Homepage and #SourceCode repositories & documentation!** Even if the links are subtle and get overlooked by casual readers (attentive readers will cite the links additionally), the publicity gained by linking to the relevant I2P pages _should_ help the I2P to climb the ranks of search engine results. Mutual aid is a social duty — even on the Internet!

----

The I2P SAM library that excites me: github.com/diva-exchange/i2p-s (Note: this library _is not listed_ in the table of libraries on the I2P SAM documentation page.)
The I2P SAM canonical documentation: geti2p.net/en/docs/api/samv3

----

If you would like to play with I2P, here are the links to download the software:

- geti2p.net/en/download#windows
- geti2p.net/en/download#mac
- geti2p.net/en/download#unix
- geti2p.net/en/download#deb
- geti2p.net/en/download#android
- geti2p.net/en/download#source

----

Here are a few other links of interest, relating to I2P:

- "Bitcoin core adds support for I2P!" at geti2p.net/en/blog/post/2021/0, posted 2021-09-18 by idk. **Blurb**: "A new use case and a signal of growing acceptance.". [#BTC #Bitcoin #BitcoinCore #Proxy]
- "Help your Friends Join I2P by Sharing Reseed Bundles" at geti2p.net/en/blog/post/2020/0, , posted 2020-06-07 by idk. **Blurb**: file-based-reseed "Create, exchange, and use reseed bundles". [#NetworkHub #WebOfTrust]
- "Gitlab over I2P Setup" at geti2p.net/en/blog/post/2020/0, posted 2020-03-16 by idk. **Blurb**: "Mirror I2P Git repositories and Bridge Clearnet repositories for others." [#Git #SSH]
- "Blizzard (I2P Router Plugin)" at i2p-pt.github.io/blizzard/, whose **blurb** is: "blizzard, I2P Plugin for Donating a Snowflake.", and "Plugins — I2P" at geti2p.net/en/docs/plugins:
> Blizzard is a standalone version of the Tor Project’s Snowflake proxy. It can be used to produce an I2P Plugin that will donate a Snowflake to Tor Browser users. The Snowflake uses I2P to manage its lifecycle. That means when you start and stop your I2P router you start and stop the Snowflake.
- "I2P — Wikipedia § Software" at en.wikipedia.org/wiki/I2P#Soft.

geti2p.netI2P Anonymous NetworkAnonymous peer-to-peer distributed communication layer built with open source tools and designed to run any traditional Internet service such as email, IRC or web hosting.

#UbuCon #Korea 2024, 어느덧 한 달도 남지 않았는데요. 올해도 작년에 이어 #OpenPGP 키사이닝 파티가 프로그램의 일부로 진행 될 예정입니다. 서로의 신원 확인과 상호 OpenPGP 키 서명을 통해 #WebOfTrust 도 구축하고, 다른 참가자와 네트워킹도 쉽게 시작해 볼 수 있습니다. OpenPGP 키사이닝 파티는 사전 #PGP 키 제출 등 준비가 조금 필요한데요, 올해는 조금 더 쉽게 준비할 수 있도록 개선이 되었으니 올해도 많은 참여 부탁드리겠습니다!

참여 방법 안내 및 OpenPGP키 제출 github.com/ubuntu-kr/ksp-toolk

UbuCon Korea 2024 참가등록 2024.ubuntu-kr.org

Ok, let's talk about the elephant in the room. Why is a totally anonymous contribution to any significant #FOSS program still admitted in 2024? IMHO, this idea should be eradicated. In #Debian, we have used a #weboftrust for more than 20 years. It is not perfect, but that would probably have mitigated/avoided the #xz fiasco, and today, we could probably have a subject to prosecute. Instead, today, we have exactly none but for an avatar.

Another set of sshd-openpgp-auth and ssh-openpgp-auth releases is out:
This server and client-side tooling for managing the #authentication of #SSH host keys with the help of an #OpenPGP #certificate as trust anchor is now feature complete.
crates.io/crates/sshd-openpgp-
crates.io/crates/ssh-openpgp-a
Many thanks to @wiktor for the great collaboration and #NLnet / #NGIAssure for funding this work!
#DNS #KeyOxide #KnownHosts #OpenSSH #PGPKI #Rust #Rustlang #Software #SSH #WebKeyDirectory #WebOfTrust #WKD #WoT

crates.iocrates.io: Rust Package Registry