Skip to content

consider local key exchange mechanisms (geysigning, safeslinger)

The geysigning project, which reuses (and improves on!) parts of the Monkeysign code, introduces a novel idea of not depending on the keyservers to fetch the public key material before signing. To quote their README file:

In contrast to caff or monkeysign, this tool enables you to sign a key without contacting a key server. It downloads an authenticated copy of the key from the other party. For now, the key is authenticated by its fingerprint which is securely transferred via a QR code. Alternatively, the user may type the fingerprint manually, assuming that it has been transferred securely via the audible channel.

I haven't figured out exactly how the key material is copied - it is presumably done through some Avahi protocol?

OpenKeychain has its own way of doing those transfers, which are implemented as a multi-party "keysigning party" protocol of some sort. It uses an app called SafeSligner for which there is a Python library we could reuse as well.

List of possible implementations:

  • [geysigning][geysigning project] - homegrown avahi + httpserver
  • [SafeSlinger][] - custom protocol?
  • FlyWeb - standardized web-based avahi + httpserver?
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information