April 15, 2019

Today we're announcing that Keybase has a new, open proof protocol, and we've kicked it off with the Mastodon Fediverse. Already, 31 communities are live (mastodon.social, witches.live, aus.social, etc.), with many more in the coming days.

Previously, Keybase only supported the mega-behemoths: Twitter, Facebook, Reddit, Github, and HackerNews. This new protocol change isn't just for Mastodon; we're ripping Keybase wide open, so any community can cryptographically connect profiles to Keybase.

Everyone from a small phpBB forum to a big site such as Etsy, GitLab, or StackOverflow is welcome to do this easy integration.

First, what is Mastodon?

Mastodon is a microblogging social network. It's like Twitter, except anyone can administer an "instance," on a domain of their choice, letting in whatever members they want.

If you're on an instance called cereal.eaters and I'm on an instance called milk-providers.org, we can follow each other and see each other's "toots" across the network. Censorship rules are up to the instances. This is federation at its finest.

It's pretty slick, and it honors the original spirit of the Internet.

Keybase Proofs

Keybase is a secure (as in cryptography) app for groups, communities, families, and friends. At its core is identity. Keybase is a catalog of connected identities and keys. For example, here's my friend tammy :

I know her as @tammycamp on Twitter, and Keybase teaches me she's also u/hodl_strong on Reddit. Further, Keybase lets me have an encrypted chat with her, or add her to a group I'm building. I can feel safe I'm talking to the right person.

My Keybase app actually checks that she posted a signed tweet on Twitter.

An example of our old way of doing things

Let's walk through one. In our scenario, Keybase user haraldbluetooth wants to prove he is @toothyharald on Twitter.

After typing his Twitter handle into the Keybase app, Harald goes through these screens:

Problems with the old way

Pretty quick and easy, right?

Still, we think this flow is choppy. Harald's Keybase app can tell him exactly what to tweet, but once he's in Twitter, Keybase is just sitting around, hoping he didn't change anything before posting.

Problems:

posting is brittle ; Twitter may not link to a screen with the tweet pre-filled. Also Harald may edit the tweet and mess it up. Twitter will still let him post it, but it will be nonsense.

; Twitter may not link to a screen with the tweet pre-filled. Also Harald may edit the tweet and mess it up. Twitter will still let him post it, but it will be nonsense. people can post false claims on Twitter ; Keybase wouldn't understand or honor them, but a tweet that's a lie might confuse Twitter users.

; Keybase wouldn't understand or honor them, but a tweet that's a lie might confuse Twitter users. every site is different ; Keybase needs to understand how to look up tweets, parse them, confirm the author, distinguish usernames, etc. It would be easier if Twitter could tell Keybase apps how it works and how to look up a proof.

; Keybase needs to understand how to look up tweets, parse them, confirm the author, distinguish usernames, etc. It would be easier if Twitter could tell Keybase apps how it works and how to look up a proof. the tweets flow into history; how can someone start on Harald's Twitter profile and know his Keybase username?

Our new protocol

Mastodon has done all this right, starting in Mastodon version 2.8. And now anyone else can, too.

Here’s what the proof flow looks like for Mastodon. When haraldbluetooth claims in Keybase that he's allmyteeth on mastodon.social, he lands on a mastodon.social page:

Further, His mastodon.social page shows this special row:

This, unlike a Tweet or Toot that could say anything, only shows up on his Mastodon page if it's legit.

FINAL RESULT: if you know Harald on Mastodon, you can end up with his keys! Or if you know him on Keybase or elsewhere, Keybase teaches you about his Mastodon identity. All cryptographically verifiable.

For programmers...a neat bonus

You can send encrypted messages from the command line, using these proofs.

keybase chat send haraldbluetooth "Ensam är stark!" keybase chat send allmyteeth@mastodon.social "Ensam är stark!"

Or, using the Keybase chat API

echo '{"method": "send", "params": {"options": {"channel": {"name": "allmyteeth@mastodon.social"}, "message": {"body": "Ensam är stark!"}}}}' | keybase chat api

Your Keybase app will verify all the crypto, and the chat will appear:

What the Mastodon project had to do

It wasn't a large project. They had to create or update a couple JSON endpoints, a config file, and an extra screen to handle this proof connection. Any site can do it.

Keybase profiles - in both the app and website - now link to Mastodon.

That's it. If your team builds a site or app with members, go for it. If you use an app or website you'd like to see connected to Keybase, you can send them this page.

Having fun!

💖 Keybase