GPG Identity Protocol

From bitcoin-otc wiki
Revision as of 19:31, 14 March 2011 by Nanotube (Talk | contribs) (create page)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

This page outlines the protocol for exporting your GPG identity to other sites which may or may not support GPG authentication directly. The basic idea is that you can post a GPG-signed message to some area of your user account on the site, connecting your site id with your key via the signature, and then others can verify your signature and be certain that you are the same person on multiple sites.

This is particularly useful if you have an established reputation in some other community, such as ebay feedback, coinpal order history, etc.

While this can all be done 'manually', it would be helpful to facilitate automatic identity verification. To that end, this standard is created.

Structure

The main goals of this standard are to allow for:

  • automatically finding the gpg signature on any user page via a simple parser
  • automatically connect the content of the signed message to a user identifier on a particular site url

GPG signature marker

To include a gpg signature into your user profile, post the following data on your page:

gpg_signature=url_or_data

followed by either a url linking to the resource containing your full clearsigned message, or a hex-encoded string containing your clearsigned message.

This should allow to easily pick out the signature data via a simple regexp of the form

gpg_signature=[^\s]+

The hex encoding is specified since many sites garble line endings and whitespace in posted content (such as ebay's profile page).

Content of GPG signed message

The signed message should include information about the site it pertains to, and the user identifier on that site. The format of the message shall be as follows:

site: domain of site, or other descriptor of what you're identifying for
user: user identifier on site

The date of signature and key id is contained in the signature itself, and is thus not necessary to explicitly include in the message.

This message uniquely connects a user identifier on a site to a GPG identity.