It's finally here, teasing is over:
I'm excited to launch #keyoxide today!
https://yarmo.eu/post/keyoxide
#FOSS solution for easy encryption, signature verification and decentralized identity proofs!
I've been in favor of #DeleteKeybase but I never had something to offer as an alternative. Now I do :)
Interesting tool, good for self-hosting.
Where does cryptography happen? On the browser or on the server?
Fine thanks!
A question: did you consider to separate the crypto functionality that can be executed in the browser and the identity related ones in two different applications?
While I don't like crypto done in Javascript, I think a clear separation of concerns would reduce the attack surface.
@Shamar Those concerns are valid. There are definitely plans to make a CLI tool for the distributed identity proofs. I suppose such a tool could be the backbone of the proof verification displayed online. Would that solve your concerns or is even more separation needed?
Actually a clear separation between encryption&signing on one side and identity management in the other would allow to separate packaging, deployment and upgrade.
For example you could install the browser-only system on a server that do not provide any serverside scripting.
This would reduce the attack surface both for the server and for the visitor.
It's not safe(TM) anyway, but it could be useful in some self-hosted system.
@Shamar right! So I should make an API, basically? Every website, my own or anyone else's, can request to verify the proofs of a key. That's the idea right? I could see that happening
@Shamar (almost) fully in the browser. Some like it, some don't.
"Almost" because websites fight you a little bit when trying to prove someone's identity. In these rare cases, the server handles the verification process.
Other than that, everything related to encrypt and signature verification, all happens in the browser!