Hi @rob ,

I'm not aware of a single drop-in-replacement for #keybase 🤔 Here are some ideas:

💬 End-to-end-encrypted chat
- #Matrix / #Riot
- #XMPP with OMEMO encryption

🔒 Encrypted Storage
- #Nextcloud
- maybe #Syncthing for some use cases

🔗 Linking keys to accounts
- Sorry, I'm inexperienced here 😅
- for PGP keys: Public PGP key servers
- for Mastodon: profile link to website with key infos + "rel=me" link

Gonna share your post for more feedback on this 🙂


@switchingsoftware @rob@fosstodon.org For OpenPGP keys, I recommend to use WKD. When you own a domain, that's definitely the perfect way to go.

Otherwise you might want to reach out to @wiktor about his work on OpenPGP key based verification of accounts :)

@sheogorath @switchingsoftware @rob @wiktor definitely use WKD rather than the keyservers. The keyservers are a dumpster fire.

@sheogorath @switchingsoftware @rob @wiktor @hoptank Thanks, that's useful. It's a little annoying that the author used the term "certificates" (which is SSL jargon). We say "public key" & "private key" when discussing #PGP. Anyway, glad to know about key poisoning, and why I've been unable to get old keys removed from keyservers.


Certificate is a very regular term, it just happens to be mostly known from x509, because it's the most common use case in e.g. TLS. But we also have non-x509 certificates for SSH or as you noticed, OpenPGP. A certificate is basically a public key signed by another private key which attests it's validity. Therefore certificate is a universal term but NOT THE SAME THING as a public key.

@switchingsoftware @rob@fosstodon.org @wiktor @hoptank

Yep, as it has been said WKD is definitely the way to go. If one doesn’t control their domain https://keys.openpgp.org is an alternative but with some caveats.

As for “OpenPGP key based verification of accounts” that Sheogorath mentioned this is something that I took from Keybase, tweaked a little and made decentralized.

Check out this page: https://metacode.biz/openpgp/key#0x653909A2F0E37C106F5FAF546C8857E0D8E8F074 It’s completely generated from my OpenPGP key fetched from https://keys.openpgp.org

Currently there are no pretty wizards to add proofs to your keys so it’s manually adjusting your social profiles (GitHub, HackerNews, Mastodon, etc.) and manually adding proof links to your OpenPGP key. For details see: https://github.com/wiktor-k/openpgp-proofs#for-users

If you then push your updated key to https://keys.openpgp.org the key info page will generate something similar to my key.

Sign in to participate in the conversation
Sheogorath's Microblog

This is my personal microblog. It's filled with my fun, joy and silliness.