i have no clue how salt works :|
@xuu@txt.sour.is @prologic@twtxt.net This? Fingerprint: 161c614f08e4ed4d1c8e5410f8c457e6878574dbab7c9ac25d474de67db1bdad
@prologic@twtxt.net I use https://key.sour.is/id/me@sour.is
I would need an out-of-band way to verify your public key’s fingerprint though 🤣
@prologic@twtxt.net Ok.. so using NaCL boxes. yeah its just a combo of using secretbox with a generated key/nonce. and then using the pubkey box to encrypt the key/nonce for each device.
Can we not have clients sign their own public keys before listing them on their Pod’s account?
Yeah.. we probably could. when they setup an account they create a master key that signs any subsequent keys. or chain of signatures like keybase does.
@prologic@twtxt.net def would be a wider discussion on preventing the pod from adding its own key to a users device list. Or using device keys to authenticate instead of user/pass.
@prologic@twtxt.net pod should probably track revocation of device keys and delete the encryptedkeys that are paired with revoked keys
@prologic@twtxt.net device gets the cypertext and uses it’s device key to decrypt one of the keys and then decrypts the cypertext.
@prologic@twtxt.net sender generates an AES key encrypts message. gets the device list for user and encrypts key for each device. sends the encryptedkeys+cypertext.
@prologic@twtxt.net for encryption. we can have browser/app generate ec25519 keypair. store the private on device and add pub to list of devices for the user on pod.
i am guessing you are using some form of webmention to notify the target of the DM? which loads it into a store for the user to read?
@prologic@twtxt.net 👋 I can take a stab at it when I am done with the changes I am working on.
master 😀
@prologic@twtxt.net my bad.. my next one is more fun.
@prologic@twtxt.net I see.. so using an ec25519 key as identity? and some kind of certificate to define the location of a feed? or maybe a DHT like Kademlia? TwTorrent ;)
@prologic@twtxt.net kinda like how MX records work.
@prologic@twtxt.net My thoughts on it being if they switched from a different way of hosting the file or multiple locations for redundancy..
I have an idea of using something like SRV records where they can define weighted url endpoints to reach.
@prologic@twtxt.net just an off the wall question about hashes. why not use the time+message as it was in the original twtxt.txt file? is it because it’s just not store anyplace?
also how set in stone is using user+url? vs user@domain? the latter would mean the url could change without invalidating the hash.
@prologic@twtxt.net when i get the code up to a shareable level ill ping with what i have.
@prologic@twtxt.netd so.. convert the 4 attributes in the struct to private, add getters plus some the other methods that make sense.
type Twt interface {
Twter() Twter
Text() string
MarkdownText() string
Created() time.Time
...
}
@prologic@twtxt.net yeah I do.
It seems a bit wonky that it imports from your packages in some places. I’m guessing that’s some legacy bits that need updates?
@prologic@twtxt.net I have some ideas to improve on twtxt. figure I can contribute some. 😁 bit more work and it will almost be a drop in replacement for ParseFile
Kinda wish types.Twt was an interface. it’s sooo close.
@lyxal@twtxt.net @prologic@twtxt.net yah. the service can have a flag for allowing non-TLS for development. but by default ignores.
are there some users that use alternative protos for twtxt? like ftp/gopher/dnsfs 🤔
My latest work over the last few days. a twtxt parser. so far looking promising. Faster and less memory than the regex version. 😁
@prologic@twtxt.net @lyxal@twtxt.net blocking http would be a good start
@admin @lyxal@twtxt.net hax?
@prologic@twtxt.net an added benefit of the avatar: would be the user could put their gravatar/libravatar image url like https://key.sour.is/avatar/01bc6186d015218c23dec55447e502e669ca4c61c7566dfcaa1cac256108dff0
@prologic@twtxt.net Could the config be embeded into the head comment of the twtxt.txt file and parsed out? If it also had an avatar: field that pointed to where the avatar image is located it can be almost all self contained.
New Blog Post Test Blog by @xuu@txt.sour.is 📝
@lyxal@twtxt.net @prologic@twtxt.net if we edit the txt file does it update on web?
@prologic@twtxt.net the HKP is http keyserver protocol. it’s what happens when you do gpg --send-keys
makes a POST to the keyserver with your pubkey.
@prologic@twtxt.net looking through the drafts it looks like it actually used SRV records as recently as 2018 😵
@prologic@twtxt.net Web Key Directory: a way to self host your public key. instead of using a central system like pgp.mit.net or OpenPGP.org you have your key on a server you own.
it takes an email@address.com hashes the part before the @ and turns it into [openpgpkey.]address.com/.well-known/openpgpkey[/address.com]/<hash>
@xuu@txt.sour.is With SRV you can set what hostname to be used (and port/priority/etc)
@xuu@txt.sour.is Not too happy with WKD’s use of CNAME over SRV for discovery of openpgpkey.. That breaks using SNI pretty quick. I suppose it was setup as a temporary workaround anyhow in the RFC..
Did some work on WKD handling. Can update keys with HKP posts :) Ugh need to work on docs and unit tests. Boooorrring.
Happy Friday.
@prologic@twtxt.net also :)
@adi @prologic@twtxt.net One reservation about using it with a small community would be the expectation that the discussions at some level stay within the circle as opposed to the internet at large.
@prologic@twtxt.net @twtxt@txt.sour.is I have noticed that I will get some duplicate web mention notifications. some kind of dedup would be helpful.
@prologic@twtxt.net (#gqg3gea) ha yeah. COVID makes for a timey-wimey mish-mash. Worked on some WKD and fought with my XMPP client a bit.
@prologic@twtxt.net Herro! 👋
@prologic@twtxt.net well nice chat. it’s off to bed for me.
@prologic@twtxt.net do you think twt will ever add ActivityPub integration?
@prologic@twtxt.net Yep! installed it yesterday. I like the simplicity of twt. I am quite happy with how little memory the pod seems to use. Mastodon and the “lightweight” Pleroma don’t work well in small VMs.
That way at least we can form some kind of cryptographic “identity” without having to involve the users that much, it just works™
i like some of the work that keys.pub is doing with ed25519 crypto keys with something like that.
@prologic@twtxt.net huh.. true.. the email is md5/sha256 before storing.. if twtxt acted as provider you would store that hash and point the SRV record to the pod. .. to act as a client it would need to store the hash and the server that hosts the image.
@xuu@txt.sour.is @prologic@twtxt.net something that would be interesting would be libravatar for the user image. i made one that does the same for a profile cover image.
@xuu@txt.sour.is @prologic@twtxt.net The gpg command line leaves much to be desired…
@prologic@twtxt.net it is some interesting work to decentralize all the things.. tricky part is finding tooling. i am using a self hacked version of the go openpgp library. A tool to add and remove notations would need to be local since it needs your private key.