Update blog post

content/blog/2020/06/2020-06-17--opsv.md

@@ -21,6 +21,8 @@ This project uses [openpgp.js](https://openpgpjs.org/) loaded in the browser, me
 
 OPSV will always use the first input method it detects in the order described above.
 
+It's also possible to not provide a public key. Read more about this in the `Using no public key at all` section below.
+
 ## Usage
 
 Visit https://opsv.foss.guru/. On this website, you can enter a signed message (see example below) and any of the three supported public key inputs to verify that the owner of that public key was indeed the person to have signed that message.
@@ -34,26 +36,26 @@ The signed statement:
 <pre class="select-all"><code>-----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
-I like pineapples.
+I like pineapple.
 -----BEGIN PGP SIGNATURE-----
 
-iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70lV4PHHlhcm1vQHlh
-cm1vLmV1AAoJEDc2f0r0CHrR1b0QAJK7U9fy7HKIFqgy1DzquN0fvIt1W9mG3IUO
-S5dPr31BgGcZ0zKorFunHTMXN1+6zNZ6BlahuX8rFPMTYzVIj/1whAq67brXh0Vf
-bo6CjUWNuHAZFuR5TczyEscRWBaGgfbkmznhTNkfY/OPUw7g+5aXp6vUs+0+oPOk
-oyCUieJ6HIHrD9dPL2+60j/y2x6tsKqkIr/EMBOwyYkddF2gymhYSELnVq80Hjol
-KmcudGWrHLcDHyg+e1nODXqelVPxRLzSBuyRjE7Rb9rjPtv0ugK7eE/6u1grtTt4
-Pw5OzCdWy1Sz54Bp9Ft7IQ0dh5ld23v78aji24Twe2YTwynNeqC1OMH1RpqVfmex
-fCUmCUbSegR+0HB6lqtVFUETku8dQ71BnDXzZOawgx6xpn6kvlpD8MPkMrOSgFpN
-OuOEwLj/nnxV5nO4Cu8WN/le+MBcUYm3AED3FCLta+A5lY4sn42hpg6W9QuECuyM
-wr+ZKuJNtdkzosBX5v/mEAQoApKAUF0VucMnpJCzkZHtcPHzUA8kCu7dXeNMPnaY
-CGMc3Cvjz2IywXc/U131itret2iyM4SwTbYsyoCm2QRB0Py2ZiMeC3saLmZIrAL9
-LmkwsQHQwPLWYx2llbFuAQawck3vTSbftN6Yg89084r2QUn8L+Wa6GYG1Wja/Lgp
-a0+BYPNh
-=AKRt
+iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mVUPHHlhcm1vQHlh
+cm1vLmV1AAoJEDc2f0r0CHrRQXIP/08uza9zOtmZXv5K+uPGVzDKwkgPgZJEezX7
+6iQ358f1pjSRvYfQ5aB13k2epUHoqCKArMYu1zPqxhvLvvAvp8uOHABnr9NGL3El
+u7UUgaeUNHkr0gxCKEq3p81abrrbbWveP8OBP4RyxmaFx13Xcj7mfDluiBHmjVvv
+WU09EdH9VPlJ7WfZ+2G2ZZDHuE5XiaeP7ocugTxXXLkp33zwpDX0+ZuCIXM6fQGe
+OccSffglFPdNBnfasuuxDWxTQPsEbWGOPJV+CAPmBDeApX+TBF9bovO3hw4Uozk2
+VT7EAy8Hb0SOrUb3UNGxzoKv++5676IxyB4JXX0Tr9O4ZxhO8o9pEEHwirtn/J1+
+MWven4gVlWM/6bMeUqx6ydyNc2nqF5059yfRmwGMlp09x82G4x1bcf6aDZ+5njDG
+fS5T2OpXRIkZHJx8BhmZjsxiDR0KV44zwHpt06+96ef3EDWB0BcP6M+a5Rtc33zf
+irRmQd2M6RLyXCYtdGIiiAFRuomw802U4F0P4LwVrZdbGA6ObqBv1k8BUFCMbMz8
+Ab4hF7kO4z0Vh3JaKzcHey0pOzdNCPpAHZ51sAoAnFDM4PdMBgQxxVweCMu4KYMZ
+FN8sNn42oY/b7gDmwCelVhgD+rvUn/a8+B7CDmCp+wIquyrjrTt00voATcb+ZPMJ
+pTXJ/NcM
+=rqTX
 -----END PGP SIGNATURE-----</code></pre>
 
-Use this as "Message" on [OPSV](https://opsv.foss.guru/).
+Use this as "Signature" on [OPSV](https://opsv.foss.guru/).
 
 ### Using plaintext public key
 
@@ -69,6 +71,43 @@ Remove the contents from the "Public Key (1: plaintext)" field. Now, in the "Pub
 
 Remove the contents from the "Public Key (2: web key directory)" field. I uploaded my keys to the https://keys.openpgp.org/ HKP server, which is the default server used by OPSV. All you need to do is once again go to [my personal website](https://yarmo.eu/pgp) and copy-paste the "Fingerprint" in the "Public Key (3: HKP)" field (the second field!). Still verified!
 
+### Using no public key at all
+
+Wait, what? Then what am I verifying the signature against?
+
+PGP signatures can contain the `userId` of the signer. If OPSV finds a `userId`, it will use it to perform a HKP lookup.
+
+Remove the contents from the "Public Key (3: HKP)" field. It again verifies BUT against the information contained within the signature itself. You should carefully check the information OPSV returns. In this case, the authenticity is confirmed because the `userId` (yarmo@yarmo.eu) matches the one I use.
+
+The signature below does not contain a `userId`:
+
+<pre class="select-all"><code>-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+I like pineapple.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mT4ACgkQNzZ/SvQI
+etHUNBAAlswF4Q5IkPTsMELZPNHBps8CUJUeDWu3HlSz7c2U+4h2jJztHD0mDtxH
+PqKzUnqQqNF1Bot//5xoOcn+m6UaSCzDk1oQFwD6LlQA+ScnIXddoV3xLqzTRAMe
+dyuqOoDzoVeD+fWlwisnGElYX5jHRX6tgyKNh0auR3/crQUIJazAyeDwZFdJiwaL
+ntd+d8T0BcVlVVPYN7RIp1hpT+PLIcwIsr64Myfy8SOa4cjVcQgnrhR/Lfz9680T
+LCpnSohHRiA82nMGRiapEv+s+zy1NUZnVYbU2Li+Q0nYdSoDFu0xEBYmLOxwS50H
+j6kK0ZyRicNeq2T25aIlieliTmSFLHHpzi/Zw8Yt1+FtZvWf4pstA19ahk7AQK5W
+zYF2bMO2xn5D4/pRz1P4e2NTWYeIK+ZHttc7T9ZSS9Ffo03fjcJXhson3WcQZKB5
+VIGVVFnlWujNYYotmxys84OtE6ePfVRwHasIOLfknVq64RVo68Y1Pgw/KPXSb1k6
+3r+YD0mt5i/NWpwm79G/Aq54WI5JT905div88d0Bbpa3dScTZ2MiBJbP96pZBcKl
+dpm3RnjsbCFgZqEpclrEh2SD1e8eCjrNcouWK3jIfOkaWB2xk1KvNmdyQQTs3dkP
+/CpKcCJiNVvY9ogWxg9aUuQZUn4WvCvaEkmP4dfkk9s8yAKPQf8=
+=QqCq
+-----END PGP SIGNATURE-----</code></pre>
+
+Once again, the signature verifies. And again, it only verifies against the information contained within itself so **that doesn't prove anything about its authenticity**. Anyone can write this and the signature will return verified.
+
+ Except now, there is no `userId` for easy manual verification. So, you need to either take the `keyId` or the `fingerprint` and find some other way of verifying it, for example by contacting the person who supposedly wrote the message.
+
+ In my case, you can simply visit [my personal website](https://yarmo.eu/pgp) and compare the `fingerprint`.
+
 ### What can a bad actor do?
 
 One could not sign a statement with my private key: I, and only I, have access to it.
@@ -126,3 +165,9 @@ If open statistics or any statistics at all is not to your liking, please do let
 ## Final words
 
 I hope you like this project, I know I do. OPSV allows me to use signed messages more and provide a simple and secure way to verify their authenticity without relying on big corporations. This is our web, so it's also our duty to keep it secure.
+
+---
+
+## Update 1
+
+Added the `Using no public key at all` section.