Featured image of post Verifying yourself online without paying $8

Verifying yourself online without paying $8

The reality of the Internet in November 2022

As I’m writing these lines in early November of 2022, the new chief twit started turning Twitter into a postapocalyptic hellscape.

Twitters blue checkmark1 used to be a form of verification, so that you could be sure that it’s not some impostor but in fact the real Stephen King who thinks you’ve lost it, Elon. Soon the blue checkmark will prove that you’ve got a spare $8 a month and you have lost it, too.

Update 1: It’s actually going to be gray.

Update 2: The chief twit just stopped it.

Update 3: Sorry, I lost track. It think it’s back, it’s actually blue and someone was impersonating a number of US president and this seems to be the reality we live in now.

This raises the question how the rest of us can prove that we’re actually who we are online. Or even better: How can we claim online identities in a decentralized and (by practical means) anonymous way so we can prove that they belong to same individual?

Disclaimer

This blog post contains cryptography which I’m not an expert on and which I - in parts - consider wizardry. All I can say is this: Keep your private keys safe. Create a secure backup. Store it at a safe location. Practice recovering it. Read up on how this is done. Use a password safe.

Bidirectional linking

How can I proof that tonick.net is actually my domain? Well, I got proof in my DNS TXT record. Check it out here or try it yourself.

$ dig -t txt tonick.net +short
"openpgp4fpr:1746113F877E72AC51E75B970E41827D76D10766"

This is my OpenPGP fingerprint and only I could have placed it there, right? You’ll also find this on my Mastodon profile, on my Twitter feed and in my GitHub gists.

“Well, yes” I can hear you say “but anyone could put your fingerprint on anything.”

This is true but this is where bidirectional linking comes in: By providing a signed directory of locations on where to find these fingerprints.

OpenPGP notations

The OpenPGP Message Format specifies so called notation data – additional key-value fields for arbitrary data signed into the public PGP key. These notations are where we can put our claims and since all our claims differ slightly we do this by following a spec named Ariadne.

For example the claim to my domain looks like this:

proof@ariadne.id=dns:tonick.net?type=TXT

So you could take my public PGP key, look up where to find the claim to tonick.net and verify that the DNS TXT record actually matches my PGP key’s fingerprint. You could put my fingerprint into your DNS record - but it wouldn’t show up in my claims. You could put a claim to my domain in your public PGP key - but it wouldn’t match the fingerprint on my DNS record.

I can prove that this is my domain.

Keyservers and Keyoxide

Providing you with my public PGP key is tedious, so it’d be convenient to provide it publicly available on a keyserver like key.openpgp.org. But this still leaves you with having to process it, find the claim, look it up and check if the fingerprints match.

Keyoxide is a tool to verify such claims by automating the required steps. Since it doesn’t require you to set up an account, you could also host the web-client yourself or use the CLI.

The process is simple: You look up my e-mail/fingerprint on Keyoxide, Keyoxide retrieves my public PGP key from the keyserver, extracts my claims and tries to verify them. I set up a subdomain for that because it looks nice: id.tonick.net

Ok, how do we get there?

Here comes the crypto part … There is an extensive tutorial on docs.keyoxide.org but here is the very quick rundown for adding a claim to your Twitter account.

  1. Generate a key-pair.

    Accept the defaults, set the expiry date to 2 years (2y) (maybe set a reminder for a renewal).

    Next, provide a name and an e-mail address. Remember that you’re not necessarily building a passport for your true self but maybe for a persona? Confirm when you’re done and secure it with a safe passphrase when prompted. At the end it will yield the PGP fingerprint as a 40-character hex-string.

    $ gpg --full-gen-key
    

    After this, you’ll see your PGP fingerprint.

    #...
    pub   rsa3072 2022-11-10 [SC]
        9C49496321CBD88DC97114CAEA32CF6CABDA5EB1
    uid                      Foo Bar <test@example.com>
    sub   rsa3072 2022-11-10 [E]
    
  2. Go to Twitter account and post a tweet containing openpgp4fpr:<your_fingerprint> so openpgp4fpr:9C49496321CBD88DC97114CAEA32CF6CABDA5EB1 in this example.

  3. Get the link to your Tweet by copying it from your Tweet’s date/time info.

  4. Add a notation with your claim. To do this, edit your key with gpg --edit-key '<fingerprint', then select your identity with uid 1 assuming you have only one so far. Provide your passphrase when prompted. After adding your claim, save everything.

    $ gpg --edit-key '9C49496321CBD88DC97114CAEA32CF6CABDA5EB1' 
    gpg> uid 1
    gpg> notation proof@ariadne.id=https://twitter.com/yourtwittername/status/125733456211260381184
    gpg> save
    
  5. Export your key

    $ gpg --export --armor test@example.com > pubkey.asc
    
  6. Upload your pubkey.asc to key.openpgp.org. After your mail address has been verified you’re good to go and you can check the result on Keyoxide by providing your PGP fingerprint or your e-mail address.

  7. Repeat steps 2 through 6 as needed for other services. There is a list in the Keyoxide docs.

Conclusion

I like the idea of bidirectional linking as a proof of holding and I think the concept itself is easy to understand. The implementation however is expert level. Giving you a speedrun through something as complex as public key encryption feels reckless at least and we haven’t even talked about subkeys, renewals or revocations.

On the other hand it’s a bit of a predicament: Should there be providers handling the ugly terminal parts for you? How could this be done without establishing another centralized instance?

However: You’re now able to get as many checkmarks as you like. I’m sorry they’re not blue. Or white. Or whatever.


  1. I’m well aware that it is in fact white. ↩︎

Built with Hugo
Theme Stack designed by Jimmy