GPG Identity Protocol
This page outlines the protocol for exporting your GPG identity to other sites which may or may not support GPG authentication directly. The basic idea is that you can post a GPG-signed message to some area of your user account on the site, connecting your site id with your key via the signature, and then others can verify your signature and be certain that you are the same person on multiple sites.
This is particularly useful if you have an established reputation in some other community, such as ebay feedback, coinpal order history, etc.
While this can all be done 'manually', it would be helpful to facilitate automatic identity verification. To that end, this standard is created.
The main goals of this standard are to allow for:
- automatically finding the gpg signature on any user page via a simple parser
- automatically connect the content of the signed message to a user identifier on a particular site url
GPG signature marker
To include a gpg signature into your user profile, post the following data on your page:
followed by either a url linking to the resource containing your full clearsigned message, or a hex-encoded string containing your clearsigned message.
This should allow to easily pick out the signature data via a simple regexp of the form
The hex encoding is specified since many sites garble line endings and whitespace in posted content (such as ebay's profile page).
Content of GPG signed message
The signed message should include information about the site it pertains to, and the user identifier on that site. The format of the message shall be as follows:
site: domain of site, or other descriptor of what you're identifying for user: user identifier on site
The date of signature and key id is contained in the signature itself, and is thus not necessary to explicitly include in the message.
This message uniquely connects a user identifier on a site to a GPG identity.