This link explains it quite in detail: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
@sheogorath @switchingsoftware @rob @wiktor @hoptank Thanks, that's useful. It's a little annoying that the author used the term "certificates" (which is SSL jargon). We say "public key" & "private key" when discussing #PGP. Anyway, glad to know about key poisoning, and why I've been unable to get old keys removed from keyservers.
Certificate is a very regular term, it just happens to be mostly known from x509, because it's the most common use case in e.g. TLS. But we also have non-x509 certificates for SSH or as you noticed, OpenPGP. A certificate is basically a public key signed by another private key which attests it's validity. Therefore certificate is a universal term but NOT THE SAME THING as a public key.
Yep, as it has been said WKD is definitely the way to go. If one doesn’t control their domain https://keys.openpgp.org is an alternative but with some caveats.
As for “OpenPGP key based verification of accounts” that Sheogorath mentioned this is something that I took from Keybase, tweaked a little and made decentralized.
Check out this page: https://metacode.biz/openpgp/key#0x653909A2F0E37C106F5FAF546C8857E0D8E8F074 It’s completely generated from my OpenPGP key fetched from https://keys.openpgp.org
Currently there are no pretty wizards to add proofs to your keys so it’s manually adjusting your social profiles (GitHub, HackerNews, Mastodon, etc.) and manually adding proof links to your OpenPGP key. For details see: https://github.com/wiktor-k/openpgp-proofs#for-users
If you then push your updated key to https://keys.openpgp.org the key info page will generate something similar to my key.
Ooops, forgot to mention Rob on that one 👆
In short: I did a PoC on keybase-like social proofs.
This is my personal microblog. It's filled with my fun, joy and silliness.