GPG Identity Protocol
This page outlines the protocol for exporting your GPG identity to other sites which may or may not support GPG authentication directly. The basic idea is that you can post a GPG-signed message to some area of your user account on the site, connecting your site id with your key via the signature, and then others can verify your signature and be certain that you are the same person on multiple sites.
This is particularly useful if you have an established reputation in some other community, such as ebay feedback, coinpal order history, etc.
While this can all be done 'manually', it would be helpful to facilitate automatic identity verification. To that end, this standard is created.
The main goals of this standard are to allow for:
- automatically finding the gpg signature on any user page via a simple parser
- automatically connect the content of the signed message to a user identifier on a particular site url
GPG signature marker
To include a gpg signature into your user profile, post the following data on your page:
followed by either a url linking to the resource containing your full clearsigned message, or a base64-encoded string containing your clearsigned message.
This should allow to easily pick out the signature data via a simple regexp of the form
The base64 encoding is specified since many sites garble line endings and whitespace in posted content (such as ebay's profile page).
Content of GPG signed message
The signed message should include information about the site on which the signature will be posted, and the user's identifier on that site. The format of the message shall be as follows:
site: domain/url of site, or other descriptor of what you're identifying for user: user identifier on site
The date of signature and key id is contained in the signature itself, and is thus not necessary to explicitly include in the message.
Any extra non-whitespace before the site/user specification invalidates the message. Extra data may be included after the site/user specification.
The identity is only authoritative for the site from which it is linked. So for example, if the message is downloaded from a user's ebay page, this proves that the person has both access to the ebay account, and the GPG key, thus linking the two identities. If the link is listed on some other site, it is not to be trusted, since it does not prove access to the account being listed.
It is up to the verifying party to make sure that the message is placed in a location that would only be accessible to the owner of the claimed account on the site. For example in the case of ebay, message should be placed in the 'bio' section of the 'myworld' page. In case of Wikipedia, user account pages are editable by others, so one would have to make sure that the message is present due to an edit by the user himself, not someone else. These are only examples - since each site has different rules and structure, this protocol document does not make any site-specific recommendations.
Also note that by making the link between site's user account and the signing key, you are implicitly trusting the site's security against unauthorized access to user accounts.
Alice has the nick "alice-otc" on the OTC channel and "alice-ebay" on eBay. She's registered her PGP identity with OTC and now she wants to make an OTC trade with Bob. Bob wants some assurance that Alice is honest. To demonstrate her honesty, Alice wants to prove that "alice-ebay" is the same person as "alice-otc", even though the nicks are different. She crafts the following message (/tmp/message.txt):
site: ebay.com user: alice-ebay
and signs it with her PGP key, encoding the result into base64 and then manually prefixes "gpg_identity":
cat /tmp/message.txt | gpg --clearsign | base64 -e
to get the following document
She then copies this document to her eBay My World page in the Bio section. Bob decodes the content and verifies the signature to convince himself that Alice controls the "alice-ebay" account.