# Decentralized proofs

This document describes a method of adding social proofs to OpenPGP keys in a way that can be independently verified by clients. This is similar to Keybase but decentralized.

All proofs are notations put on self-signatures by key owners.

Currently the notation key is always `proof@metacode.biz`

and the notation value is a URI that can be used to fetch the proof document. Proof documents are JSON files published on a social site in a way that it can be verified that only the account owner published the document.

Proof documents contain a short string that refers back to the OpenPGP key, usually through the `openpgp4fpr`

URI.

Proofs can be used by clients to do automatic or manual verification by software working with OpenPGP keys. For example: https://metacode.biz/openpgp/key#0x653909A2F0E37C106F5FAF546C8857E0D8E8F074

Or manually, through command-line interface:

```
$ gpg --list-options show-notations --list-sigs D8E8F074 | grep proof
Signature notation: proof@metacode.biz=https://metacode.biz/@wiktor
Signature notation: proof@metacode.biz=https://news.ycombinator.com/user?id=wiktor-k
Signature notation: proof@metacode.biz=https://www.reddit.com/user/wiktor-k/comments/bo5oih/test/
Signature notation: proof@metacode.biz=https://gist.github.com/wiktor-k/389d589dd19250e1f9a42bc3d5d40c16
Signature notation: proof@metacode.biz=dns:metacode.biz?type=TXT
```

## Adding proofs

Proofs can be added by any OpenPGP software that allows adding notations.

An example using GnuPG’s `--edit-key`

:

```
$ gpg --edit-key F470E50DCB1AD5F1E64E08644A63613A4D6E4094
sec rsa1024/4A63613A4D6E4094
created: 2013-10-18 expires: never usage: SCEA
trust: unknown validity: full
ssb rsa1024/E084F7446C202C97
created: 2013-10-18 expires: never usage: SEA
[ full ] (1). Test McTestington <test@example.com>
gpg>
```

The `notation`

subcommand inserts notation:

```
gpg> notation
Enter the notation: proof@metacode.biz=https://news.ycombinator.com/user?id=wiktor-k
No notations on user ID "Test McTestington <test@example.com>"
Adding notation: proof@metacode.biz=https://news.ycombinator.com/user?id=wiktor-k
```

Then `save`

the key and send it to keyservers.

## Proof providers

This section contains data about currently supported providers.

`{FINGERPRINT}`

is a lowercase V4 OpenPGP key fingerprint.

### GitHub

Proof URI: Gist URL

Proof document must contain a document called `openpgp.md`

that contains the following string: `[Verifying my OpenPGP key: openpgp4fpr:{FINGERPRINT}]`

.

Example: https://gist.github.com/wiktor-k/389d589dd19250e1f9a42bc3d5d40c16

### Hacker News

Proof URI: Profile URL

Profile must contain the following string: `[Verifying my OpenPGP key: openpgp4fpr:{FINGERPRINT}]`

.

Example: https://news.ycombinator.com/user?id=wiktor-k

Proof URI: User post URL.

The post must be made on user’s profile by the user.

Post must contain the string `Verifying my OpenPGP key: openpgp4fpr:{FINGERPRINT}`

Example: https://www.reddit.com/user/wiktor-k/comments/bo5oih/test/

### Mastodon

Proof URI: Profile URL

Profile must contain a property (configured in settings) that includes `{FINGERPRINT}`

as property value.

Example: https://mastodon.social/@wiktor

### Domain name

This proof validates control over a domain name through `TXT`

record.

Proof URI: `dns:{DOMAIN}?type=TXT`

The document must contain a `TXT`

record that is `openpgp4fpr:{FINGERPRINT}`

.

Example: `dns:metacode.biz?type=TXT`

## How it works

Proof URIs are contverted to URLs that point to proof JSON documents. These documents are fetched and the required data is extracted from them using a method that is specific to social provider. If the data matches the proof is considered verified.