Decentralized proofs

This document describes a method of adding social proofs to OpenPGP keys in a way that can be independently verified by clients. This is similar to Keybase but decentralized.

All proofs are notations put on self-signatures by key owners.

Currently the notation key is always proof@metacode.biz and the notation value is a URI that can be used to fetch the proof document. Proof documents are JSON files published on a social site in a way that it can be verified that only the account owner published the document.

Proof documents contain a short string that refers back to the OpenPGP key, usually through the openpgp4fpr URI.

Proofs can be used by clients to do automatic or manual verification by software working with OpenPGP keys. For example: https://metacode.biz/openpgp/key#0x653909A2F0E37C106F5FAF546C8857E0D8E8F074

Or manually, through command-line interface:

$ gpg --list-options show-notations --list-sigs D8E8F074 | grep proof
   Signature notation: proof@metacode.biz=https://metacode.biz/@wiktor
   Signature notation: proof@metacode.biz=https://news.ycombinator.com/user?id=wiktor-k
   Signature notation: proof@metacode.biz=https://www.reddit.com/user/wiktor-k/comments/bo5oih/test/
   Signature notation: proof@metacode.biz=https://gist.github.com/wiktor-k/389d589dd19250e1f9a42bc3d5d40c16
   Signature notation: proof@metacode.biz=dns:metacode.biz?type=TXT

Adding proofs

Proofs can be added by any OpenPGP software that allows adding notations.

An example using GnuPG’s --edit-key:

$ gpg --edit-key F470E50DCB1AD5F1E64E08644A63613A4D6E4094
sec  rsa1024/4A63613A4D6E4094
     created: 2013-10-18  expires: never       usage: SCEA
     trust: unknown       validity: full
ssb  rsa1024/E084F7446C202C97
     created: 2013-10-18  expires: never       usage: SEA
[  full  ] (1). Test McTestington <test@example.com>

gpg>

The notation subcommand inserts notation:

gpg> notation
Enter the notation: proof@metacode.biz=https://news.ycombinator.com/user?id=wiktor-k
No notations on user ID "Test McTestington <test@example.com>"
Adding notation: proof@metacode.biz=https://news.ycombinator.com/user?id=wiktor-k

Then save the key and send it to keyservers.

Proof providers

This section contains data about currently supported providers.

{FINGERPRINT} is a lowercase V4 OpenPGP key fingerprint.

GitHub

Proof URI: Gist URL

Proof document must contain a document called openpgp.md that contains the following string: [Verifying my OpenPGP key: openpgp4fpr:{FINGERPRINT}].

Example: https://gist.github.com/wiktor-k/389d589dd19250e1f9a42bc3d5d40c16

Hacker News

Proof URI: Profile URL

Profile must contain the following string: [Verifying my OpenPGP key: openpgp4fpr:{FINGERPRINT}].

Example: https://news.ycombinator.com/user?id=wiktor-k

Reddit

Proof URI: User post URL.

The post must be made on user’s profile by the user.

Post must contain the string Verifying my OpenPGP key: openpgp4fpr:{FINGERPRINT}

Example: https://www.reddit.com/user/wiktor-k/comments/bo5oih/test/

Mastodon

Proof URI: Profile URL

Profile must contain a property (configured in settings) that includes {FINGERPRINT} as property value.

Example: https://mastodon.social/@wiktor

Domain name

This proof validates control over a domain name through TXT record.

Proof URI: dns:{DOMAIN}?type=TXT

The document must contain a TXT record that is openpgp4fpr:{FINGERPRINT}.

Example: dns:metacode.biz?type=TXT

How it works

Proof URIs are contverted to URLs that point to proof JSON documents. These documents are fetched and the required data is extracted from them using a method that is specific to social provider. If the data matches the proof is considered verified.