Publish blog post

content/blog/2021/01/2021-01-11--keyoxide-project-update-2.md

@@ -0,0 +1,119 @@
+---
+title: "Keyoxide Project Update #2"
+author: Yarmo Mackenbach
+slug: keyoxide-project-update-2
+date: "2021-01-11 16:30:00"
+published: true
+discussion:
+---
+
+A prosperous 2021 to all. Let's dive into some Keyoxide news.
+
+## Signature profiles
+
+The Keyoxide web client just got updated to [2.4.0](https://codeberg.org/keyoxide/web/releases/tag/2.4.0) which
+introduced a few minor bug fixes as well as a robots.txt and noindex meta tags.
+
+The most exciting new feature in this release is the support for "signature profiles", a new way of creating
+decentralized profiles that is both simpler to generate and solves a few drawbacks that come with the traditional
+method of storing identity claims as notations in cryptographic keys.
+
+From the newly added [signature profiles guide](https://keyoxide.org/guides/signature-profiles):
+
+> Storing claims inside the key as notations is a powerful method. Wherever the public key goes, so go the identity claims. This allows one to use the existing vast network of key sharing tools to also share these identity claims.
+> 
+> There are drawbacks to this: you lose granularity. You cannot pick and choose the claims you want to send to certain people or use for certain purposes. There is also the possibility that notations in keys could be scraped as the keys are publicly available.
+> 
+> Putting (certain) claims in a signature profile solves both drawbacks. You can choose which claims to be associated with each other and you can choose which persons can see this by only sending it to them. You can even encrypt the signature profile! Since the signature profile is not publicly available (unless you make it so), there is no possibility to scrape the contents of it.
+> 
+> Note that there is one catch: the person you send it to could publish it. Only send claims you wish to keep secret to people you trust!
+
+### What does a signature profile look like?
+
+Here's an example:
+
+```
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Hey there! Here's a signature profile with proofs related to the DOIP project (https://doip.rocks).
+
+Verify this profile at https://keyoxide.org/sig
+
+proof=dns:doip.rocks
+proof=https://fosstodon.org/@keyoxide
+-----BEGIN PGP SIGNATURE-----
+
+iQHEBAEBCgAuFiEENjcgJSPnwTCat56Z7y3FgntEX0sFAl/7L0MQHHRlc3RAZG9p
+cC5yb2NrcwAKCRDvLcWCe0RfS3iYC/0QQqz2lzSNrkApdIN9OJFfd/sP2qeGr/uH
+98YHa+ucwBxer6yrAaTYYuBJg1uyzdxQhqF2jWno7FwN4crnj15AN5XGemjpmqat
+py9wG6vCVjC81q/BWMIMZ7RJ/m8F8Kz556xHiU8KbqLNDqFVcT35/PhJsw71XVCI
+N3HgrgD7CY/vIsZ3WIH7mne3q9O7X4TJQtFoZZ/l9lKj7qk3LrSFnL6q+JxUr2Im
+xfYZKaSz6lmLf+vfPc59JuQtV1z0HSNDQkpKEjmLeIlc+ZNAdSQRjkfi+UDK7eKV
+KGOlkcslroJO6rT3ruqx9L3hHtrM8dKQFgtRSaofB51HCyhNzmipbBHnLnKQrcf6
+o8nn9OkP7F9NfbBE6xYIUCkgnv1lQbzeXsLLVuEKMW8bvZOmI7jTcthqnwzEIHj/
+G4p+zPGgO+6Pzuhn47fxH+QZ0KPA8o2vx0DvOkZT6HEqG+EqpIoC/a7wD68n789c
+K2NLCVb9oIGarPfhIdPV3QbrA5eXRRQ=
+=QyNy
+-----END PGP SIGNATURE-----
+```
+
+I only wrote the four lines after `Hash: SHA512`! The rest is generated by an OpenPGP-compatible library.
+
+The first two lines are meant for humans. They state my intent with this signature profile as well as give an
+instruction to whomever receives it.
+
+The remaining two lines are my identity claims. They follow a specific syntax that Keyoxide and any other service using
+[doip.js](https://doip.rocks) can interpret.
+
+The text around it is the signature. They make the message both provably beyond doubt written by yours truly, and
+untemparable. Try it in the next step, change any character in the text, it will fail. This ensures that no bad actor
+could intercept my signature on its way to you and modify its content.
+
+### What to do with it?
+
+When put into [keyoxide.org/sig](https://keyoxide.org/sig), the website will perform two verifications.
+
+First, is the signature valid? Has the text been tampered with? If the signature is valid, a so-called 'fingerprint'
+is extracted from it and displayed. Preferably, I have already mentioned my fingerprint to you. This ensures that you
+didn't simply get a signature from someone else pretending to be me.
+
+The fingerprint of the key that I used for the signature above is `3637202523e7c1309ab79e99ef2dc5827b445f4b`.
+
+Second step is the verification of the identity claims. I could write a perfectly valid signature profile filled with
+absurd and incorrect identity claims! We don't want that.
+
+The fingerprint we just extracted from the signature is now used to verify these identity claims. For example, the first
+claim (doip.rocks) will have a DNS record with that value. And the second claim (fosstodon.org/@keyoxide) has the
+fingerprint in the bio section of the account.
+
+Both should verify. This allows you to say:
+
+> Whoever signed this profile, holds the doip.rocks domain name and the fosstodon.org/@keyoxide account.
+
+### Granular and non-scrapable identity claims
+
+There you have it. Identity claims that can be sent granularly (you pick and choose which to include) and are
+non-scrapable (signature profiles are not publicly available).
+
+And if you wish to go a step further, you can even encrypt the signature profile to make sure it can't be read while in
+transit to the intended recipient.
+
+Happy signing!
+
+## doip.js 0.9.0
+
+[Release 0.9.0](https://codeberg.org/keyoxide/doipjs/releases/tag/0.9.0) of [doip.js](https://js.doip.rocks) introduced
+support for the verification of signature profiles. In fact, Keyoxide simply relies on doip.js for all identity
+verifications. This makes it possible for new projects to get started quickly with fully decentralized identity
+verification and always have the same feature set that Keyoxide has.
+
+This is the way.
+
+## Signing off
+
+Hope you enjoy the signature profiles. Do not hesitate to get in touch for questions, comments or suggestions. There's
+a [Keyoxide matrix room](https://matrix.to/#/#keyoxide:matrix.org) as well as a
+[mailing list](https://lists.sr.ht/~yarmo/keyoxide-devel).
+
+Until next time.