#weboftrust

@vlpatton The classic method is a key signing party. Get a bunch of people in the same room with legal photo identification and their fingerprints, and go around the room checking everyone else’s ID. Then, go home and sign everyone’s keys. Send the signed key to the key owner. Import signed keys and collect signatures!

Key servers sharing signatures haven’t been a thing since the attacks years ago. Any modern keyserver will strip the signatures, so you’ll have to distribute your key with signatures some other way (WKD, DNS, a file on your web site, etc.).

CAcert will do PGP key endorsements if you get enough assurances on their platform. Everyone with a signed key has had two forms of ID checked by two people. However, their infrastructure can only work on old-school RSA keys right now (they’re working on modernizing).

#PGP #GnuPG #CAcert #KeySigningParty #cryptoparty #WebOfTrust

how does one perhaps acquire signatures for their PGP key? I'm wanting to build a web of trust, but I'm unsure if there's anyone I know personally (and especially in-person) who would be able to sign my keys...

fwiw, I use my keys to sign Git commits, mostly.

#PGP #Encryption #WebOfTrust #GnuPG

@Sascha

Ein ähnliches Beispiel ist das Recht auf Anonymität: Wichtig um Missstände aufzudecken ("Whistle-Blowing"), wird aber oft für Hetze und Desinformation benutzt.

→ Es braucht mittelfristig ein kluges Management von Vertrauen im Internet.

Das #WebOfTrust [1] hat das Problem im Bereich #PGP-basierter E-Mail-Authentizität eigentlich schon gelöst. Sowas ähnliches bräuchte es (zeitgemäß umgesetzt) für allgemeine Informationen.

[1] https://de.wikipedia.org/wiki/Web_of_Trust

If you know me, you know I am an Invisible Internet Project [#I2P & @i2p] enthusiast. (See the https://geti2p.net/ #homepage.) I2P is similar to Tor, but differs in that _every_ client instance of the I2P software, while connected to the Internet, _participates in routing traffic_ around Internet blockages.

I just read https://www.diva.exchange/en/privacy/i2p-interview-with-the-developer-idk-part-2/ and came across a link to a #SoftwareLibrary for the "SAM API" of I2P. In the past, I had thought the SAM #API cumbersome and clunky (perhaps this was due to the format of the documentation).

The https://www.diva.exchange/ team have created a #Typescript wrapper for the I2P SAM API. It seems that Diva Exchange uses #I2PD (the #CPlusPlus variety of the available I2P applications) rather than the reference #Java implementation.

**If you are affiliated with diva.exchange/, please reach out to the editors to include back-links to the I2P Homepage and #SourceCode repositories & documentation!** Even if the links are subtle and get overlooked by casual readers (attentive readers will cite the links additionally), the publicity gained by linking to the relevant I2P pages _should_ help the I2P to climb the ranks of search engine results. Mutual aid is a social duty — even on the Internet!

----

The I2P SAM library that excites me: https://github.com/diva-exchange/i2p-sam (Note: this library _is not listed_ in the table of libraries on the I2P SAM documentation page.)
The I2P SAM canonical documentation: https://geti2p.net/en/docs/api/samv3

----

If you would like to play with I2P, here are the links to download the software:

- https://geti2p.net/en/download#windows
- https://geti2p.net/en/download#mac
- https://geti2p.net/en/download#unix
- https://geti2p.net/en/download#deb
- https://geti2p.net/en/download#android
- https://geti2p.net/en/download#source

----

Here are a few other links of interest, relating to I2P:

- "Bitcoin core adds support for I2P!" at https://geti2p.net/en/blog/post/2021/09/18/i2p-bitcoin, posted 2021-09-18 by idk. **Blurb**: "A new use case and a signal of growing acceptance.". [#BTC #Bitcoin #BitcoinCore #Proxy]
- "Help your Friends Join I2P by Sharing Reseed Bundles" at https://geti2p.net/en/blog/post/2020/06/07/, , posted 2020-06-07 by idk. **Blurb**: file-based-reseed "Create, exchange, and use reseed bundles". [#NetworkHub #WebOfTrust]
- "Gitlab over I2P Setup" at https://geti2p.net/en/blog/post/2020/03/16/gitlab-over-i2p/, posted 2020-03-16 by idk. **Blurb**: "Mirror I2P Git repositories and Bridge Clearnet repositories for others." [#Git #SSH]
- "Blizzard (I2P Router Plugin)" at https://i2p-pt.github.io/blizzard/, whose **blurb** is: "blizzard, I2P Plugin for Donating a Snowflake.", and "Plugins — I2P" at https://geti2p.net/en/docs/plugins:
> Blizzard is a standalone version of the Tor Project’s Snowflake proxy. It can be used to produce an I2P Plugin that will donate a Snowflake to Tor Browser users. The Snowflake uses I2P to manage its lifecycle. That means when you start and stop your I2P router you start and stop the Snowflake.
- "I2P — Wikipedia § Software" at https://en.wikipedia.org/wiki/I2P#Software.

> In Coracle, this number is equal to how many people you follow that also follow a given person, minus pow(2, log(n)), where n is how many people you follow who have muted this person.

https://coracle.social/help/web-of-trust

#nostr #webOfTrust #trust #socialMedia #coracle

Stimmt das wirklich, dass der Keyserserver keys.openpgp.org sämtliche bisherigen Signaturen unter dem publickkey wegschneidet?

#CLT2024 #WebofTrust

We have just issued the first #release of #sshd-openpgp-auth and #ssh-openpgp-auth.

Using this server and client-side tooling it is possible to manage the #authentication of #SSH host keys with the help of an #OpenPGP certificate as trust anchor.

https://crates.io/crates/sshd-openpgp-auth

https://crates.io/crates/ssh-openpgp-auth

Many thanks to @wiktor for the great collaboration and #NLnet / #NGIAssure for funding this work!

#DNS #KeyOxide #KnownHosts #OpenSSH #Rustlang #Software #WebKeyDirectory #WebOfTrust #WKD #WoT

@new23d It is #BrokenByDesign on purpose because doing proper #E2EE would've upset the "#Tsec #Industry" and would've meant everything would have proper #E2EE like @torproject and that #CA's were truly #decentralized #WebOfTrust architectures like #CACert and not some begging grift of the #GAFAMs like @letsencrypt is today...

@quincy @thomasjorgensen @KatS @ErikJonker @glynmoody Well, @letsencrypt isn't that "community-run", at least not compared to #CACert which #BigTech like the #GAFAMs cockblocked out of existance or rather steam...

#LetsEncrypt is their take but wothoit #Community or a #WebOfTrust and instead a #free #CA similar to what #Twathe offered for some time...

Thinking about a greenfield project for Magic Stone. Has to do with Nostr, web-of-trust and the idea of a global town square.

I really need to learn how to write short updates and not get all epic.

#MagicStone #nostr #weboftrust

https://davidsterry.com/blog/2023/09/the-global-town-square-is-for-everyone-not-just-blue-checks/

@wedistribute Congratulations, you just cloned the #WebOfTrust that #CAcert tried to establish but got cockblocked by #GAFAMs and even @mozilla from getting off the ground because they didn't bribe said platforms with $$$$$$ to accept their certificate the same way @letsencrypt did - or at least got blessed for...

PGPainless meets the Web-of-Trust

We are very proud to announce the release of PGPainless-WOT, an implementation of the OpenPGP Web of Trust specification using PGPainless.

Big thanks to Heiko for his valuable contributions and the great boost in motivation working together gave me
Also big thanks to NLnet for sponsoring this project in such a flexible way.
Lastly, thanks to Wiktor for his talent to connect people

https://blog.jabberhead.tk/2023/07/25/pgpainless-meets-the-web-of-trust/

#certificateauthority #gpg #openpgp #pgp #pgpainless #pgpki #sequoia #weboftrust #wot

#spam ruins everything. See this post by @davidrevoy

https://www.davidrevoy.com/article980/ive-decided-to-give-up-on-my-blogs-commenting-system

When I see how psychotic people can get online I imagine a web that is open, but only to that subset of people who can be civil to each-other. Using a #WebOfTrust network, maybe it's feasible?

I started imagining this here:

https://olivierforget.net/blog/2020/web-of-ok-people/

I ended up with more questions than answers, but its would be worth a shot given where we end up when there is zero gate-keeping:

https://framapiaf.org/@davidrevoy/110770135209043458

Creating an OpenPGP Web-of-Trust Implementation – Knitting a Net

I imagine the Web-of-Trust as an old, half-rotten fishing net (bear with me); There are knobbly knots, which may or may not be connected to neighboring knots through yarn of different thickness. Some knots are well-connected with others, as ye olde fisherman did some repair work on the net, while other knots or even whole sections of the net have no intact connections left to the rest. Many connections rotted away as the yarn past its expiration date.

https://blog.jabberhead.tk/2023/07/06/creating-an-openpgp-web-of-trust-implementation-knitting-a-net/

#authentication #cryptography #openpgp #pgpainless #signature #trust #webOfTrust

"SSH key-based authentication is tried-and-true, but it lacks a true public key infrastructure for key certification, revocation, and expiration. #Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions."

@riseup

https://riseuplabs.org/en/projects

Sounds like a cool project, is the monkey still alive? The homepage linked on that page is dead, and the only code I could find doesn't look like it's been touched in a while.

https://0xacab.org/monkeysphere

#SSH #OpenPGP #WebOfTrust

Initial release of my revived #verified accounts page: https://im.youronly.one/p/verified

^_^

#Verification #trust #WebOfTrust #TrustChain #Signing #Signed

My c.im account #verification / #verified links.

* The first one is my #LinkInBio page.
* The second link is my new #Whosum / #PossumID verication page.
* The third link is my #Keyoxide verification page.
* The fourth is my page for sending me gifts, if you want. Like my #Wishlists and places you can send tips (I no longer run ads on my blogs). (I'm planning to update this to also include a list of invite and referral codes.)

I like verification methods that can work for different services. I think it all comes down to #WebOfTrust / #TrustChain. If you can establish something is in your control, you can list your official accounts there. Any account not listed should be confirmed first.

That said, I'm thinking of reviving my “other verified accounts” page on my website, where other accounts currently not supported by Whosum, Keyoxide, and #Keybase, are listed.

#cIM

Here is a bit of a more in-depth description about what I have been working on for the #sequoia project lately (with some #archlinux related examples ):
https://sequoia-pgp.org/blog/2023/03/29/202303-pretty-graphics-for-the-web-of-trust/

#graphviz #dot #openpgp #weboftrust #wot #rustlang #svg #visualization

@tchambers Yep!

I don't know why people with websites, and org profiles, are falling for these paid verification badges. We've been doing this method since the 90s, and with rel=me, machines can readily ‘verify’ our accounts (and yet they don't).

It's understandable if they don't have a website. But, there is still other ways. If they are not techie to use #Keyoxide and #OpenPGP, then there is #Keybase. If they don't want to use any, the idea is being able to establish a chain or #WebOfTrust of sorts.

Absolutely zero cost, other than the effort and time spent.