Skip to content

Instantly share code, notes, and snippets.

@jamesmunns
Created September 24, 2019 15:43
Show Gist options
  • Save jamesmunns/a0bf462f9f3a86216e85ae3852c35fb3 to your computer and use it in GitHub Desktop.
Save jamesmunns/a0bf462f9f3a86216e85ae3852c35fb3 to your computer and use it in GitHub Desktop.
FRAUTH-CONTENTS
name = "James Munns"
note = "Hello, I'm James!"
pubkey = "๐Ÿ’ฅ๐Ÿ’ฟ๐Ÿž๐Ÿ”ซโ˜•๏ธ๐Ÿ‘ฝ๐Ÿ”๐Ÿ‘ถ๐Ÿฃ๐Ÿ‘‰๐Ÿƒ๐Ÿ’ซโš“๏ธ๐Ÿ‘‘๐Ÿธ๐Ÿ๐Ÿพ๐ŸŠ๐ŸŽ๐ŸŽบ๐Ÿ’ฏ๐Ÿ’ป๐Ÿ’ฆ๐Ÿธ๐Ÿ’๐Ÿ‘‘๐Ÿผโš“๏ธ๐Ÿ’”๐Ÿ†๐ŸŽฌโ›”๏ธ"
[identities]
email = "james.munns@ferrous-systems.com"
github = "https://github.com/jamesmunns"
twitter = "https://twitter.com/bitshiftmask"
[[friends]]
name = "Alice Shamir"
uri = "https://example.com/.well-known/alice-shamir.frauth"
pubkey = "โœˆ๏ธ๐Ÿ–๐Ÿ’ค๐Ÿ“ผ๐ŸŽ๐Ÿฌ๐Ÿ•๐Ÿš€๐Ÿ”•๐Ÿ’จ๐Ÿ”—๐ŸŽธ๐Ÿšฝ๐Ÿฌ๐Ÿ“š๐Ÿจ๐Ÿ”ฌ๐Ÿฉ๐Ÿ‘œ๐Ÿ”†๐ŸŽป๐ŸŽทโ›ณ๏ธ๐Ÿ’ฃ๐Ÿ‘ข๐Ÿซ๐Ÿ’ฐโ˜•๏ธ๐Ÿ›๐Ÿ‘ฃ๐ŸŠโ€ผ๏ธ"
[[friends]]
name = "Bob Diffie"
uri = "https://beispiel.com/.well-known/bob-diffie.frauth"
pubkey = "๐Ÿšจ๐ŸŽจ๐Ÿ’ƒ๐ŸŽจ๐Ÿ€๐Ÿ‘โžก๏ธ๐ŸŽค๐ŸŽ„๐ŸŒ€๐ŸŽƒ๐Ÿ„๐Ÿ‘†๐Ÿ‘ซ๐Ÿท๐Ÿธ๐Ÿ˜ ๐Ÿ˜ ๐ŸŒ™๐ŸŒณ๐Ÿ”ฎ๐Ÿ”๐Ÿƒ๐Ÿ’๐ŸŸ๐ŸŒฟโŒš๏ธ๐Ÿจ๐Ÿ’ช๐Ÿ๐ŸŽŠ๐Ÿ‘‰"
FRAUTH-SIGNATURE
๐ŸŒตโ›ณ๏ธ๐ŸŽ๐Ÿ‘ข๐Ÿ”†๐Ÿ”—๐Ÿ‘โฌ…๏ธ๐Ÿ–๐Ÿฌ๐Ÿ“๐Ÿ”‹โฌ…๏ธ๐Ÿ‘ƒ๐Ÿซ๐Ÿ’ป๐Ÿ’ง๐Ÿ„๐Ÿ‘Ž๐Ÿผโœ‚๏ธ๐Ÿƒ๐Ÿ’๐Ÿบ๐Ÿ’ชโš“๏ธ๐Ÿ”†๐Ÿ‘ข๐Ÿฐ๐Ÿ’ป๐Ÿ’Š๐Ÿšด๐Ÿ‡๐Ÿš€๐Ÿป๐Ÿบ๐ŸŒตโฌ‡๏ธ๐Ÿ๐Ÿ‘Šโฌ…๏ธ๐Ÿ‘๐Ÿจ๐ŸธโŒš๏ธ๐Ÿ˜Ž๐Ÿ”ฆ๐Ÿ‹๐Ÿ“ป๐Ÿ’๐Ÿ’”๐ŸŒผ๐ŸŽ๐ŸŽ๐Ÿ‘๐Ÿ‘…๐Ÿ“ป๐ŸŽณ๐Ÿ‘ƒ๐Ÿ€๐Ÿ™๐Ÿ”†๐Ÿ‘”๐Ÿ’ข
FRAUTH-ENDOFFILE
@jamesmunns
Copy link
Author

jamesmunns commented Sep 24, 2019

Format is roughly:

FRAUTH-CONTENTS
<TOML Content>
FRAUTH-SIGNATURE
<ed25519 signature of <TOML Content>>
FRAUTH-ENDOFFILE

<ed25519 signature of <TOML Content>> does NOT consider comments within the toml file, though they are allowed. The signature is essentially sign(serialize(deserialize(<TOML Content>))) sign(<TOML Content>). Contents are not reordered on serialization/deserialization.

EDIT: I will expect the tool to sign the raw TOML content, rather than putting it through a serialize(deserialize()) chain, based on suggestions from others.

TOML Contents is roughly:

  • name: Mandatory utf8 string
  • note: Optional utf8 string
  • pubkey: Mandatory utf8 string containing a base_emoji encoded ed25519 public key
  • identities: Optional key:value, where key and value are both utf8 strings
    • used for identifying accounts, emails, phone numbers, etc. that map to this entity
    • some keys might be expected to be parsed in certain ways, like email or twitter or github
  • verifications: Optional key:value, where key and value are both utf8 strings
    • TODO: do some kind of account verification? e.g. a tweet or gist with a signed message?
  • misc: Optional key:value, where key and value are both utf8 strings
    • Meant for human-readable items
    • Tools must not rely on contents of misc
  • friends: list, with each element containing:
    • name: Mandatory utf8 string
    • uri: Mandatory utf8 string, expected to be a URI that maps to a frauth file (like this one)
    • pubkey: Mandatory utf8 string containing a base_emoji encoded ed25519 public key, same as pubkey at the root of the file located at the uri for this element

@jamesmunns
Copy link
Author

jamesmunns commented Sep 24, 2019

The idea is to build a "web of trust" from verified friends, and their verified friends. The tool should not report a binary trust, but instead display a weighted value based on their distance (so a direct trusted friend is 1.00, a friend of a friend would be less, and a friend of a friend of a friend would be even less).

The hope is to have a distributed and peer-to-peer solution for problems currently solved by gpg (and associated registries) as well as services such as keybase.

This tool does not aim to have configuration around encryption options, to reduce complexity. Currently ed25519/edDSA is used for all functionality. Future versions of the tool may include semantic versioning of files, allowing for a limited amount of backwards compatibility.

Long term goals

  • A CLI tool will be able to spider the web of trust, to some configurable depth, caching the results locally.
  • A CLI tool will be able to periodically update the cached results, notifying the user on changes, and removing verified contacts if details have changed.
  • A CLI tool can notify when identity changes, or when new items can be imported to the web of trust
  • A CLI tool can display an "address book" based on this web of trust
  • A CLI tool will be able to encrypt a message to a given person using their verified (or web of trust known) public key by using their ed25519 public key for EdDSA asymmetric encryption. The recipient of this message can verify this message using the CLI tool.
    • TODO: Verify if this is sound?
    • TODO: Sign message with own private key inside or outside of encrypted message?
  • A CLI tool will be able to sign a given message, using own private key. Recipients will be able to verify this message using the CLI tool.
  • Very very long term: Ability to sign/verify git commits using frauth data?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment