GitLab

The geysigning project, which reuses (and improves on!) parts of the Monkeysign code, introduces a novel idea of not depending on the keyservers to fetch the public key material before signing. To quote their README file:

In contrast to caff or monkeysign, this tool enables you to sign a key without contacting a key server. It downloads an authenticated copy of the key from the other party. For now, the key is authenticated by its fingerprint which is securely transferred via a QR code. Alternatively, the user may type the fingerprint manually, assuming that it has been transferred securely via the audible channel.

I haven't figured out exactly how the key material is copied - it is presumably done through some Avahi protocol?

OpenKeychain has its own way of doing those transfers, which are implemented as a multi-party "keysigning party" protocol of some sort. It uses an app called SafeSligner for which there is a Python library we could reuse as well.

List of possible implementations:

• [geysigning][geysigning project] - homegrown avahi + httpserver
• [SafeSlinger][] - custom protocol?
• FlyWeb - standardized web-based avahi + httpserver?