This is Hacker Public Radio, episode 3756, from Monday the 26th of December 2022.
Today's show is entitled, Verify Yourself on Mastodon with PGP and Kioxide.
It is hosted by Klaatu, and is about 32 minutes long.
It carries a clean flag.
The summary is, verify your Mastodon account using newpg and kioxide.org.
Hi everybody, this is Klaatu, and wow is Mastodon popular all of a sudden.
I want to talk about getting verified, there are air quotes around verified, on Mastodon.
This is a kind of a big topic because as people look at Mastodon as a potential platform for
their microblogging needs, they apparently want to make sure that they're the only one
of them on that platform, which if you think about it is kind of funny.
As often as there are emails, email addresses, I mean as easy as it is to get an email address
under anybody's name, it seems to me like people would not be that scared of a thing
that didn't have complete certainty that you were the only one of you on the platform.
There's potential for tricking people into thinking that I am someone else online aplenty.
It's not something that's unique to Mastodon, and quite obviously it wasn't unheard of on
what people are going to Mastodon to get away from, which is of course Twitter.
But I guess Twitter had a system by which someone somewhere would award you a blue circle
with a white checkmark in it as long as you could convince them that you were who you
said you were.
If you got the blue circle with a white checkmark, then everyone on the internet had to agree
under legal obligation that you were- that account was really you.
And of course that obviously doesn't truly check out, right?
That's not a system of verification.
That is a system of claiming an identification.
There's no guarantee ever that the person on the other side of the computer that you
are reading the tweets from was the physical DNA specimen that you believe that it was.
But people seem to have a lot of confidence in that blue circle with a white checkmark
in it, and so they want to see something similar on Mastodon.
Mastodon does not have a blue circle with a white checkmark, or rather it does if you
want to add it to your profile name.
You can find an emoji of that symbol and type it into your profile name and then you suddenly
have a blue circle with a white checkmark in it.
But Mastodon does in your profile award green checkmarks.
Well I say Mastodon.
Mastodon doesn't really do anything.
It's just a platform.
You are able to give yourself a green checkmark.
How do you do that?
Well the easy way is to go into your profile, go to edit your profile, scroll down through
the different preferences until you find something called verification.
Under verification there is a link.
It's just a normal ahref, so it's an HTML tag that points actually back to Mastodon.
It's a link to your profile.
The significant thing about it though is that it has a special attribute called rel equals
quote me close quote.
So left angle bracket a space ahref equals quote in my case https colon slash slash
mastodon dot xyz slash at symbol clatu close quote space rel equals quote me close quote
right right angle bracket follow me on social media left angle bracket slash a right angle
bracket.
So it's just a normal old HTML link hyperlink except it has this special attribute that
claims that rel equals me and of course the ahref attribute is pointing to your Mastodon
profile that you want the green checkmark to be awarded to.
What do you do with this link?
Well you go and put it on a website that people on the internet agree that you control or
that you actually do control.
I mean I guess it doesn't actually matter that people on the internet acknowledge that
but you can if you have the ability to put that link on a website then you put the link
on that website.
You tie these two together the mastodon profile and the random website that you control enough
to put that website link on to.
You tie them together by pasting the URL where that link appears into your mastodon profile
and then the mastodon interface sees that there's a web address in your profile.
It checks the location the destination of that web address.
If it finds ahref blah rel equals me at that location then it puts a green checkmark by
that web address.
So all you're doing is confirming that the same entity controlling your mastodon account
is the same entity controlling a website and really honestly I mean that's practically
as good as online verification gets.
You can confirm through this that the same person did two different things at two different
places more or less and you can't confirm that that person is the same person that you
shook hands with at that one technical conference.
They might have someone doing their bidding you don't know but you do know that they have
at least that they they have knowledge this this this person has knowledge of both knowledge
and control over both of these web locations.
That's pretty good verification for internet stuff about as good as you can get and I do
say about I was having a conversation with someone on mastodon about these concepts and
I found out through this conversation that there's a new project I say new new to me
a project called key oxide that's k e y o x i d e dot org key oxide and key oxide is
a way is a project that wants to sort of tether your pgp key or gnu pg whatever your pretty
good privacy cryptographic key it wants to tether that key between or rather to your
mastodon profile this way you can now confirm to your own encrypted key your well the the
public key to which you hold the secret key so key oxide just makes it easy well I say
easy it is attempting to make it easy for you to make changes to your encrypted key
chain that can then be verified by other online applications the documentation is a little
bit rough there's no sense of a sort of a workflow so I'm going to attempt to distill
all of that here now into easy to follow steps so that if you want to verify your mastodon
account or some other account by your encrypted key then you're able to do that the advantage
to this by the way before we get started is of course the the web of trust that pgp encourages
you to build now if you're like me and you haven't built a web of trust really it's kind
of useless all you're doing I actually I say I haven't built a web of trust I've built
a small web of trust although I haven't had that web of trust sign my key it's been a
purely functional web of trust certain people do email me with pgp encrypted emails using
my my key in my public key and I email them back using their public key so there is trust
there it's simply that I haven't I can't prove to you dear listener that there's trust because
I haven't had anyone sign my key so that's but that's my shortcoming and and anyway the
point is if you want to build a ring of trust a web of trust in your key ring then you can
do that and then people can look at your gpg key look at your mastodon account and other
things that you've linked back to your gpg your key oxide profile page and and kind of
confirm that again the entity controlling this encrypted key who other people believe
to be authentic because they've met them and signed their key to attest that yes this this
human does have access to this key that bolsters trust in that key and so now it does start
to seem like yeah that probably is the same human doing things online because they keep
pointing back to this key which other humans have confirmed was physically present as it
were along with the actual human whose hand they shook when they were signing the key
okay so how do you work with key oxide key oxide the the documentation is there if you
can make heads or tails of it congratulations here's what i've got for you though i'm going
to take you through the whole process assuming that without assuming that you have even a
key created now if you do have a key created you should assume you should pretend like
you don't have a key created i'm not saying create a new key i'm just saying listen to
every step because there were some surprises along the way that i mean just really really
shocked me because i thought i had gpg as figured out as anybody else could i mean it's
a pretty big system it's it's a lot to take in but i mean i use it a lot i feel relatively
comfortable with the commands i felt like i knew where to look when i needed to reference
a command component that i didn't know and yet there were still surprises so please if
you want to go down this path just pretend like you're like you're completely new to
all of this it will you you will thank yourself later okay so the first thing that you do
is you generate you want to generate a key and like i say if you already have a key generated
then you don't have to do that but um but i'll just pretend like you don't just so we
hear all the steps okay so the first thing you do is uh let's use gpg2 i i find that
easier to use myself um so i'm going to do gpg2 dash dash full dash generate dash key
this is the so these are all the prompts and uh your first question is going to be rsa
and rsa which is the default or you can do dsa and elgamal or dsa sign only or rsa sign
only i'm just going to go one which is the default and then it asks me how what kind
of key do i want it can be from 1024 to 4096 long it says what key size do you want and
the default is 3072 i'm just going to go for broke 4096 should this key expire i'm going
to say no i'll revoke it if i need it to expire is this correct yes okay now it needs information
about me so i'm going to put down that my real name is clatu my email is clatu at example.com
a comment i don't need a comment uh is everything okay yes everything's okay now i need a pass
phrase for this thing bogus 123 bogus 123 and now it's asking me to generate some entropy
by moving my mouse around and moving windows around uh if you're in a modern system it
doesn't take long it used to take quite a while there we go looks good spits out sort
of a report for me and that is that i have now a a key and there's this big long string
of numbers 2 2 4 2 0 e 4 4 3 8 and so on that's the that's an identifier for your key you're
going to need that so don't don't close your terminal yet you're gonna you're gonna use
that next but before we do that i'm going to i'm going to pause and i'm going to say
what if you already had a key if you've already got a key then all you need to do really is
find out the the big long number that fingerprint if you don't have that already it's easy to
get um you just do a gpg2 dash dash list dash secret dash keys and it gives you a report
on all the secret keys that you hold find the one if you have more than one secret key
and you may you you might have a secret key for k wallet a secret key for your personal
emails a personal key for your work email who knows so find the one that you actually
want to use here's the here's clatsu at example.com i'll select that it shows you the the big
long number so this is good that's that's an identifier that you can use pretty consistently
throughout this process so now you need to we're going to edit this key that we just
created so gpg2 dash dash edit dash key and then you're going to paste in the big long
number the fingerprint i'll call that the fingerprint from now on all right so that
kind of dumps us into a gpg prompt and right above the prompt are some details about this
about this key it's telling us things like um what is it telling us i don't know a secret
key it's a sec not a pub public secret so this is an sec key that we're looking at rsa
96 great created today uh expires never and so on so it gives us some information what
we need to do is add something called a notation now i didn't know notation existed i didn't
know that was a thing until this process so that's that's one of those things that i learned
from from doing this so that was kind of cool but the way that we we do that is we just
type in well actually you know what right now you probably only have one user if you
just created this key you probably only have one user id associated with this account and
you see the name of that user id it says uh ultimate one dot clatu clatu at example.com
so that that's that's indicating to you that there's one email address associated with
this secret key and that's pretty typical me i have lots of email addresses associated
with my keys because i've either changed emails or i have different emails for different audiences
or or whatever or i have different versions of the same email my work email has both my
first name and my my first and my last name i have both available at my work so you know
you might have more than one uid you need to proclaim you need to appoint one as the primary
user so if you if if you need to do that you type in uid uid oh okay well i can't do it
because i only have one so you type in uid you hit return and then uh no you know what
maybe i can do yes okay uid space one that's what you type sorry uid space one or whatever
you know one two three let's say you have three uh clatu at example clatu einzel ganger
at example and uh clatu at hackerpublicradio.org whichever one of those that i i want to have
as the primary user of this key and i do need to designate one i would do uid space and
then the number of that of that user id you then get a little asterisk by that number
that's the selected uid now at the prompt you just type the word primary it's asking
me for confirmation so i type in my password and i've just designated myself as the primary
user of this key that is significant you should do it okay next i'm going to add notation
this is the part that key oxide specifically requires for it for key oxide to to function
correctly this is the thing that key oxide looks at actually so notation enter the notation
it says all right so this is special um code that key oxide recognizes it is the word proof
p-r-o-o-f as in prove it proof proof at ariadne a-r-i-a-d-n-a that's alpha romeo indigo alpha
delta november echo dot id that's indigo delta equals the the path to your mastodon profile
so it could be https colon slash slash mastodon dot xyz slash at symbol clatu that's me on
on mastodon by the way follow me if you'd like to um that that takes you to a profile
page you need to know your mastodon handle which is you know the at and then some some
word that's kind of your account and you need to know the server on which your mastodon
account is hosted that's the mastodon instance and there are lots out there there's mastodon
dot social there's mastodon dot xyz there's mastodon tech hub dot um dot org or com or
something lots or social i don't know lots are out there you you'll know what it is because
that's the site you go to to log into mastodon so you're just pointing this proof at ariadne
dot id to your mastodon user page the one that you want to authenticate or rather verify
using this key all right so i've just hit return again so so that's been taken you don't
get to see your notation um to see the notation if you don't believe that it's there it hasn't
been saved yet by the way so um to see it you can do show pref all one string show pref
s h o w p r e f hit return and then you get to see extra data about your your key including
notations so you will see the notation there i'm going to type save and that also that
that saves what i've just done and it it boots me out of gpg now i'm back to my normal terminal
prompt now stop if you're familiar with gpg and and you're like me you probably think
you know what to do next you think you're going to type in a command to update your
key to a key server somewhere don't do that honestly you have to do it a different way
if if if you are glutton for punishment please by all means do it some other way and let
me know what happens because i had a bunch of failed attempts at this um but and it didn't
work until i did exactly these steps that i'm about to give you but i i had so many
failed attempts that i can't figure out if the failures were because i was not doing
what i'm saying you should do or whether i was just doing what i was doing incorrectly
but i i honestly think that this is exactly what you have to do you have to go to keys
dot open pgp dot org now i mean everything in me says that there shouldn't be anything
special about that about that um about that particular server and as far as i know um
there isn't but you do need to i think first of all don't listen to me there's something
special about that server you have to do it at open pgp.org or none of this will work
okay that's what i want to say or that's what i need to say because that that was my result
so that's the provable result i've done this once and then i got tired of the the the equation
and just decided that i was going to use that as the canonical correct way to do this you
should be able to go to pgp.net.nz colon 11371 or any any of your favorite key servers and
do this same process i'm just telling you that what worked for me was going to open
pgp.org so if you try a different server and it works let me know and just confirm that
that i was just doing something wrong all along but the um the the thing about keys
dot open pgp g.org is that you can upload a key and i know you're thinking no clad to
i don't need to do this i've already done this i've done and i've done a send i've sent
it to the servers in a terminal it's fine i'll just do it my way i'm telling you don't
do that go to keys.openpgp.org click upload even if you've already uploaded your key click
upload and then it's going to tell you to upload your key well in order to do that you
need a nice little tidy key file to um to to upload so back in your terminal you're
going to do gpg dash dash or i think you can do gpg to dash dash armor dash dash export
and then the the email of the you know the user id that you want to to export so that's
uh or of the key that you want to export so that's class who at example.com for instance
in in this scenario redirect to pubkey.asc that's the correct way to export all the metadata
out of your key chain or your key box into a a little self-contained file okay now you've
got that so you can click upload on keys.openpgp.org select that.asc file and upload it if it
already has a key that matches that key don't worry it will just update your existing key
or whatever it does i don't know i've never run a key server but overwrites it or patches
it or whatever it does it's not like you're gonna have duplicates on there or anything
you you'll just the the most recent version will be there when once your file is uploaded
and it doesn't take but a moment it's a very small file once it's uploaded keys.openpgp.org
gives you the option to get a confirmation email this is the thing that was new to me
i've never seen this before in my life didn't know it was a thing didn't know it was possible
i don't know if it's something specific to openpgp.org i don't know but you can click
on the confirmation email thing it will send an email to the email address that you've
got in that key and and then you can respond to that email and then there's confirmation
that yes that key exists and yes it actually does have the authority to lay claim to that
email address so do that that's the missing component for me that was the missing component
for about a day i kept uploading my my key uh just manually in in a terminal with the
gpg2 option to upload the key and or send dash key and that just wasn't doing it it
wasn't sending you the notation it wasn't sending i think the primary user there was
a bunch of stuff that it just wasn't sending so don't don't do that gotta do it through
open pg keys.openpgp.org or else this whole thing will be for not all right so once you've
got that go go grab a cup of coffee and if you've heard my podcast gnuworldorder.info
you'll know that i always tell people to go get a cup of coffee about halfway through
the show but in this case i actually mean go get a cup of coffee because you're gonna
have to wait for the email the confirmation email to come through then you're gonna have
to wait for the key servers to synchronize around the globe so this could take a wee
while it won't take all day i don't think but it could it'll take a cup of coffee so
go get a cup of coffee and then come back and complete the mission what's the mission
again oh yes we're trying to tie this key oxide thing to our mastodon profile what have
we done so far well we've generated a key you may or may not have already have already
had a key so maybe you skip that step it's fine we've added notation to our existing
key and we've set a primary user for our existing key we have uploaded the key to keys.openpgp.org
we have clicked a button to get a confirmation email we have responded to the confirmation
email by by clicking the link you know in the email the little confirmation link that's
where we are right now this is an exciting moment because this is where it all comes
together remember the key fingerprint that i had you remember earlier well don't worry
if you don't that's fine um it's probably in your history first of all but you can you
can also just do at any at any time you can do a gpg2 space dash dash show no list dash
secret dash keys and add a list your secret keys look through there find the one associated
with your with the email address in question and and notice that uh there is a big long
number just under the just above the user id section that's your your fingerprint so
copy that and now go to key and go to um key oxide dot org slash h k p slash and then you
paste in the fingerprint you see a little profile page for yourself now notice you haven't
like opened a an account with key oxide you haven't registered for key oxide all it's
doing is verifying it's looking at your key and it's verifying or it's it's parsing that
information that's all it's doing so you are you're you're telling key oxide to go look
up that key by that fingerprint it is reading the key that it finds and it's parsing it
it's finding out the user id the primary user of that key it's finding out the email address
it's finding the the the fingerprint and then i guess most importantly in this scenario
it is also finding the link the proof proof at ariadna dot id data that you've put into
the notation field and as i look at mine it does appear here uh in fact it's it's a little
bit weird looking right now it just says dash dash dash clatu at mastodon dot xyz what's
the dash dash dash it looks like some weird signature file or something no this is a essentially
an unused proof this this this is notation that you've put into your key but you haven't
utilized anywhere yet how to utilize this well go up to the url bar of your browser
just copy it's key oxide dot org slash hkp slash and then the the fingerprint go to your
mastodon profile where you got your little verification link in the other exercise uh
so i'm just going to go to go to mastodon click edit profile and then scroll down to
a section called profile metadata there's four different fields label label label label
content content content content and so i'll just type in i don't know gpg and then in
the content i'm gonna i just paste the key oxide link key oxide dot org slash hkp slash
a big long fingerprint looks good and then i'm gonna click the saved changes go back
to go back to mastodon click on my click on my uh name and sure enough my profile now
has a gpg uh property with a little green tick mark by my key oxide org slash hkp blah
blah blah and that's a clickable link too so if someone was to click on that and because
they don't know what key oxide is yet they can click on it and they'll there's my profile
like there's the there's the data from my key and and certainly if if they're savvy
enough to to to know what that means to to care about that then they can take that fingerprint
they can look that up on the key server in within gpg and add that my public key to their
to their keychain uh they can look at who else assigned my key nobody uh and and and
make a judgment call they can decide whether this means that i am more or less trustworthy
than had i just taken a verification link from mastodon profile and put it on a website
that i control is one worth more than the other well like i say in my case in its current
state i don't really feel like this is worth anything beyond what just having a link on
a website would offer because i don't have a ring of trust that i've built i need to
go to a key signing party i need to meet people i need to tell them my actual identity i need
to present them with a key bearing that name and then have them sign it and and and so
on that's what i need to do and i haven't done that so so i don't have a web of trust
built up around my my cryptographic key it's not worth a whole lot anyone could make a
cryptographic key put my email into it and and then they would have a profile on key
oxide that claims to be me now would i personally ever link to that key no i wouldn't and so
there would be the break in in trust there the fact that i never referenced that key
oxide instance or that that gpg key and the same goes frankly for a website right i mean
anyone can get a website put my information into it and say that it's my website but then
if my mastodon account never links back to that website and vice versa then or rather
yeah then then then there's no reason to believe that my mastodon instance or my mastodon account
recognizes that website so this is in both cases at their most basic it's just mutual
confirmation that yes i acknowledge the existence of this and i can prove to to a high level
that i have control over both of these things but if you go the key oxide pgp route then
you can go out and use the system built into pgp to get other humans to vouch for you cryptographically
i hope this has been useful i think that this is a really kind of important topic verification
on the on the internet is a really tricky subject um i think a lot of people i will
i know a lot of people don't really think about it that often the fact that twitter
was able to be the deciding factor in who was real or suspect for for years i mean we
lived with twitter for years i guess we're still technically living with it and and they
were the sole arbiter of whether you got a check mark by your name and and who was it
who was twitter what why who what was the process there's no transparency there there's
there's no real trust built in around twitter so at least at least with gpg pgp you have
you do have trust that you can build in so this is an important topic i think it's a
big one uh so definitely if if you're if you're using gpg or if you're interested in starting
to use gpg uh or pretty good privacy then by all means and you're using mastodon by
all means have a look at key oxide the process is um is not well explained on the website
i have hopefully explained it to you a little bit better now use it verify i think you'll
be glad that you did thanks for listening you have been listening to hacker public radio
at hacker public radio.org today's show was contributed by a hbr listener like yourself
if you ever thought of recording a podcast you click on our contribute link to find out
how easy it really is hosting for hbr has been kindly provided by an honest host.com
the internet archive and rsync.net unless otherwise stated today's show is released
under creative commons attribution 4.0 international license