danielle~! 💨@anonthemoose yeah, the federation aspect makes it extra-important to support proof of identity! and yet, you can't, because keybase can only handle a few very specific arrangements of proof :0 what it should probably do is let you prove you own a page by publishing a proof to its associated rss/atom feed! that would work reliably for mastodon and for a wide range of sites
Mitchell Urgero@00dani @anonthemoose We could bring in support for either OTR, OMEMO, and/or PGP signatures?
@mitchell oh, are you working on keybase? i think pgp is sufficient although i'm sure there are users who'd love support for alternative signature schemes - my issue is that you can only sign an arbitrary web page with keybase if you control the entire domain, which means you can't sign your gnu social/mastodon profile nor most profiles that aren't specially hardcoded into keybase? and it seems like checking your profile's rss/atom feed for keybase proofs would be a good workaround!
@00dani Each profile can have a signature object on the profiles page which can then be attached to each "toot"'s XML, and can be used to verify the legitimacy. (Not encrypting it in this example because CPU usage on the server)
@mitchell ooh, that sounds excellent! keybase currently only lets you prove you own your profile as a whole - in cases like twitter, you make a single tweet with a signed proof in it. signing all your individual posts would definitely be preferable if possible, although i suspect keybase would still demand you make a single post with a keybase proof anyway :3
@00dani We talking about keybase.io? Cause you can just take the signature and search keybase on each server as opposed to the client doing it? IDK. Or maybe something like
Keybase -> Client for look up but the check is done on both server and client?
Keybase -> Client for look up but the check is done on both server and client?
@mitchell yeah, keybase.io - it uses a per-user signed "chain" of proofs, like this https://keybase.io/00dani/sigchain , which means you want a recognisable atomic action that represents "this is when i proved i own my mastodon account" and you want a single post on mastodon that you can point to which contains that proof
i suppose you could just verify "yes this was signed by the same pgp key that's on the keybase profile" but then you couldn't easily revoke proofs for example?
@00dani You can revoke the proof's by revoking the sig on keybase and your profile?
@mitchell true. i dunno, i assume there are Good Reasons™ that keybase.io works the way it does?? i'm not really a crypto expert oops ¯\_(ツ)_/¯
oneup@chu users would generate them on their own and we can add a bio item to Qvitter (or GS) for a pgp public key
@mitchell I don't understand the purpose of this idea
@chu idea: just verify a users actually who they say they are. That's it.
Eugen Rochko@Gargron fun fact, that's EXACTLY why i was looking for pagination of mastodon's feeds, i'm about to suggest rss/atom verification on the keybase github ;)
@Gargron aaaaaand then i scrolled down enough to notice you already posted this suggestion on the same issue, omg
nice :3 it's probly worth allowing generic rss/atom devoid of webfingering as well though, since webfinger isn't supported by a lot of places
@00dani True, but with Atom/RSS only you'd be verifying a particular feed URL, with webfinger you would be verifying a username@domain identity which sounds significantly more awesome
@Gargron i was thinking you could give keybase your profile page url https://mastodon.social/users/00dani and it could find a proof for that page by following the atom rel="alternate" link! but definitely just being able to do username@domain rather than having to use a url would be super cool!