[Top] [All Lists]

Re: [openpgp] Overhauling User IDs / Standardizing User Attributes (was: Re: Scoped trust (signatures))

2018-06-29 02:46:28
Hi Jon,

This is slightly off-topic but...

Heck, while you’re at it, talk to the Keybase people because they explicitly now have 
Twitter, Facebook, Github and DNS identifies, along with Reddit, Hacker News, Bitcoin 
addresses, Zcash addresses, and more I’m likely missing.

From what I've seen Keybase is not interested in purely OpenPGP solution - they want to keep the data on their site [0].

And there already is I-D for "keybase but distributed" using OpenPGP - Linked Identities by Vincent [1]. Moreover this draft is already implemented in OpenKeychain and has verifications for Twitter, GitHub, etc. and works really well. I think the concept is proven to be working. (The only issue that I have with it it's that it's using experimental UAT IDs, but because Linked IDs is just a draft it cannot get proper assignment).

I've been experimenting on a slightly different implementation of Vincent's concept (using User IDs and notations instead of Attributes, and defined verification language) [2].

Also, a quote from Werner over the use of user attributes from 2017 [3]:

(...) Anyway, I think that the User
Attributes should not be extended over their use for an image.  URIs can
simply be represented by plain User IDs and software can easily detected
such URIs if desired.

The need to implement UAT only adds more complexity for a questionable
purpose.  Note that these image UAT were introduced due to marketing
needs of PGP or NAT and (iirc) only specified after they had been
introduced in their software.

I didn't agree with him back then, but after longer thought I changed my opinion - user attributes do not have any fallback mechanism - either most software supports that custom special attribute or it's practically impossible to work with them (yes, they are supported, but displayed as an opaque string [4]). And I say this as a person that added this packet "by hand" and use it on my key.

(As a side note, photos could be expressed as links to images with a hash, that would reduce the key size significantly).

On the other hand I like the "hand wavy" approach to User IDs, I think it's underutilized :-)

Kind regards,







openpgp mailing list

<Prev in Thread] Current Thread [Next in Thread>