[00:00.000 --> 00:16.440]  Okay, Jarma Makenbach, his next talk is K-OxEat, the refiner line, the identity of his cryptography.
[00:16.440 --> 00:18.440]  Welcome, Jim.
[00:18.440 --> 00:24.520]  All right.
[00:24.520 --> 00:25.520]  Is this working?
[00:25.520 --> 00:26.520]  Yeah.
[00:26.520 --> 00:28.020]  All right, awesome.
[00:28.020 --> 00:29.020]  Thank you all for coming.
[00:29.020 --> 00:34.040]  So, yeah, I'm Jarma Makenbach, and I would like to give you a little non-technical introduction
[00:34.040 --> 00:42.240]  to my project called K-OxEat, which is all about verifying online identity with cryptography.
[00:42.240 --> 00:47.160]  And to start us off, I would actually like to review very quickly how traditional passwords
[00:47.160 --> 00:48.160]  work.
[00:48.160 --> 00:53.560]  So, yeah, you walk around with your little passport, and you give it to the person who
[00:53.560 --> 00:55.520]  needs to verify it.
[00:55.520 --> 00:59.960]  They will do their little verification with a computer, and then, of course, after that,
[00:59.960 --> 01:03.800]  you can do whatever you came to do with your passport.
[01:03.800 --> 01:09.760]  So what I would like to briefly touch on is this third step, where a passport needs to
[01:09.760 --> 01:13.880]  be verified by contacting the government that issued it.
[01:13.880 --> 01:18.720]  In and of itself, the passport doesn't do that much, it's just a piece of paper with
[01:18.720 --> 01:23.400]  maybe a little picture to identify the person, but not that much more.
[01:23.400 --> 01:28.000]  And in fact, even if you do verify with the government, you know, it checks the validity
[01:28.000 --> 01:30.280]  of the document, is it still valid?
[01:30.280 --> 01:36.920]  But it doesn't actually link it to the person, again, except for maybe the picture, but still.
[01:36.920 --> 01:37.920]  So if we were...
[01:37.920 --> 01:43.680]  So the online world, of course, is becoming more part of our lives.
[01:43.680 --> 01:48.400]  So how would identity work on the internet online?
[01:48.400 --> 01:51.560]  So for me, of course, I would like to have it secure.
[01:51.560 --> 01:56.880]  And with that, I actually mean verifiable, so that, you know, I can present my online
[01:56.880 --> 02:02.400]  passport and prove to people that it's me and that not someone else is trying to claim
[02:02.400 --> 02:07.480]  that they're me or anything like that.
[02:07.480 --> 02:10.240]  I would like it to be anonymous.
[02:10.240 --> 02:17.840]  We don't actually need this online identity to be the same as our real, in real life identity.
[02:17.840 --> 02:19.960]  In fact, I would go even further than that.
[02:19.960 --> 02:21.720]  In fact, we can be multiple persons.
[02:21.720 --> 02:24.320]  We can, you know, be a certain person that works in a certain domain.
[02:24.320 --> 02:27.280]  We can be a person with a certain hobby.
[02:27.280 --> 02:32.360]  And all these personas, they don't need to match, you know, a real identity.
[02:32.360 --> 02:36.680]  And they should have their own identities that need to be maintained and be cared for
[02:36.680 --> 02:42.400]  and be presented separately as identities.
[02:42.400 --> 02:44.360]  I would like to be self-sovereign.
[02:44.360 --> 02:46.800]  So people should be able to make their own passport.
[02:46.800 --> 02:53.080]  They should be able to create it, update it, delete it, distribute it, or keep private
[02:53.080 --> 02:58.360]  as much as, you know, as they would like to, as they see fit.
[02:58.360 --> 03:01.200]  And of course, I would like to see it decentralized.
[03:01.200 --> 03:03.520]  There shouldn't be any gatekeepers.
[03:03.520 --> 03:06.680]  It shouldn't run through a single big instances.
[03:06.680 --> 03:11.080]  It should just be, if you verify someone's identity, you need to be able to do it yourself
[03:11.080 --> 03:18.720]  on the spot without having to trust another entity in the middle as much as possible,
[03:18.720 --> 03:21.200]  because, you know.
[03:21.200 --> 03:26.600]  And if you combine all this, I think it should represent what you do on the Internet, online,
[03:26.600 --> 03:31.840]  and not just like the traditional passport where you were born, mostly.
[03:31.840 --> 03:34.280]  So let's envision a little scenario.
[03:34.280 --> 03:38.600]  Again, I said that this would be non-technical, so, you know.
[03:38.600 --> 03:41.960]  So we start off with Alice, and, you know, if there's Alice, then, of course, there's
[03:41.960 --> 03:42.960]  Bob.
[03:42.960 --> 03:48.400]  And they've spoken to each other for years now with, let's say, Matrix, I don't know.
[03:48.400 --> 03:49.600]  So they know who they are.
[03:49.600 --> 03:54.240]  And again, they don't need to be this, these don't need to be like in real life identities.
[03:54.240 --> 03:58.360]  They could be pseudonyms, so, but they know who they are.
[03:58.360 --> 04:05.720]  And on a certain day, Alice gets a message from a certain Bob91 through a separate network.
[04:05.720 --> 04:09.160]  And of course, Alice wants to know, you know, is this Bob?
[04:09.160 --> 04:16.200]  Why are they using, and if it is, you know, why are they using a different username?
[04:16.200 --> 04:18.440]  That's could have many reasons.
[04:18.440 --> 04:21.000]  But again, is this the same actual person?
[04:21.000 --> 04:26.440]  So luckily for Alice, in this case, she could ask Keoghseid.
[04:26.440 --> 04:31.640]  And Keoghseid actually did a little check on both Bob on the Matrix networks and Bob
[04:31.640 --> 04:39.800]  on 91 on the XYZ network, and it could actually verify that they were the same person.
[04:39.800 --> 04:42.840]  So that's really a rough explanation.
[04:42.840 --> 04:46.700]  So let's actually look at what happens to get to this point.
[04:46.700 --> 04:50.960]  So what Bob did is he created a cryptographic key.
[04:50.960 --> 04:56.240]  So cryptographic keys are represented by a fingerprint, a large string.
[04:56.240 --> 05:00.360]  In this case, let's simplify it, we'll just call it key 42.
[05:00.360 --> 05:05.080]  And he treats the cryptographic key as a sort of vault.
[05:05.080 --> 05:07.080]  So he can put arbitrary data in there.
[05:07.080 --> 05:09.480]  So in this case, he puts two links.
[05:09.480 --> 05:10.920]  In this case, I use different accounts.
[05:10.920 --> 05:17.080]  So maybe he refers to a Fediverse account, and he refers to a Liberapay account.
[05:17.080 --> 05:23.440]  Again, these could be any number of services that he chooses to enter in the vault.
[05:23.440 --> 05:27.960]  And then he uploads a public key version of this to a so-called key server.
[05:27.960 --> 05:33.560]  So a public key in this context, we can view it as like a glass vault.
[05:33.560 --> 05:37.080]  Everybody can look inside, but no one can actually modify the contents.
[05:37.080 --> 05:41.360]  Only Bob can, and Bob secured it through cryptography.
[05:41.360 --> 05:46.080]  But everyone can actually look at this vault and look at the links that are inside.
[05:46.080 --> 05:54.920]  And on that fateful day that we just discussed, Alice, so she went to this key oxide page
[05:54.920 --> 06:02.280]  and she entered the number 42 because she knows that that's Bob's cryptographic key identifier.
[06:02.280 --> 06:07.560]  Again, they must have talked about this before or anything like that.
[06:07.560 --> 06:11.680]  But so beforehand, she knew that this was Bob's key.
[06:11.680 --> 06:18.080]  And so, well, a key oxide then goes and fetch this key from the key server, displays the
[06:18.080 --> 06:19.080]  data.
[06:19.080 --> 06:21.320]  But again, it's just displaying this as a list.
[06:21.320 --> 06:25.520]  It doesn't know yet if it's actually verified because just claiming that you are someone,
[06:25.520 --> 06:29.520]  a certain account on the internet, that's not sufficient.
[06:29.520 --> 06:34.800]  So what the key oxide then continues to do is that it will actually fetch some basic data,
[06:34.800 --> 06:38.480]  profiled data from this Fediverse account.
[06:38.480 --> 06:43.680]  And inside this Fediverse account, it will actually find a link back to the key, in this
[06:43.680 --> 06:46.280]  case the number 42.
[06:46.280 --> 06:51.600]  And with this confirmation, it actually knows that it verifies the identity.
[06:51.600 --> 06:59.160]  This really is the basis on how key oxide determines identity through bidirectional verification.
[06:59.160 --> 07:04.280]  So the key links to a certain account on the internet, and the account on the internet
[07:04.280 --> 07:07.360]  links back to the key.
[07:07.360 --> 07:10.560]  It does the same verification for the Liberapay account.
[07:10.560 --> 07:12.480]  It finds a link back to the key.
[07:12.480 --> 07:16.880]  So it has to be the same person that both actions put the link to the account in the
[07:16.880 --> 07:22.360]  key, and put the link to the key back in the account.
[07:22.360 --> 07:29.480]  So that's how it looks in the stick figure mode.
[07:29.480 --> 07:32.760]  This is an example of my account, for example.
[07:32.760 --> 07:40.040]  And so this big string, that's actually what the 42 were presented in the stick figures.
[07:40.040 --> 07:46.880]  And below are all my identities, all my accounts that I linked in my profile.
[07:46.880 --> 07:50.520]  And that actually have been verified by this website.
[07:50.520 --> 07:55.240]  So what this website does, kikosite.org, in the end is basically just like a little
[07:55.240 --> 07:56.480]  automation layer.
[07:56.480 --> 07:57.560]  You could verify it yourself.
[07:57.560 --> 07:59.760]  You could go to each of these profiles.
[07:59.760 --> 08:01.720]  You could go to each of these links.
[08:01.720 --> 08:05.960]  And just look for the reference back to my key, which is written up there.
[08:05.960 --> 08:09.000]  But yeah, that is kind of a tedious task.
[08:09.000 --> 08:12.920]  So that's what kikosite is designed to automate for you.
[08:12.920 --> 08:18.320]  But kikosite will always give you the option to verify for yourself.
[08:18.320 --> 08:21.600]  So currently, we do have a kikosite mobile app.
[08:21.600 --> 08:24.720]  It's available on fdroid for now only.
[08:24.720 --> 08:31.400]  And it only does this profile verification mode functionality.
[08:31.400 --> 08:35.960]  It doesn't do profile creation yet.
[08:35.960 --> 08:40.680]  For now, it requires you to use the command line, the GBG command line tool.
[08:40.680 --> 08:43.520]  So that's not for everyone.
[08:43.520 --> 08:48.880]  But yeah, we're working on making sure that the app can just make it just like Keybase
[08:48.880 --> 08:52.400]  used to do back in the day.
[08:52.400 --> 08:55.480]  And of course, we would like to release it on different play stores so that it's more
[08:55.480 --> 08:57.280]  widely available.
[08:57.280 --> 09:01.640]  But you can already play around with it right now.
[09:01.640 --> 09:06.400]  I would like to briefly touch on what is next for kikosite.
[09:06.400 --> 09:12.800]  So we're trying to create this more easy kind of way to create profiles, not only using
[09:12.800 --> 09:13.800]  OpenPGP.
[09:13.800 --> 09:17.240]  Right now, everything's OpenPGP within kikosite.
[09:17.240 --> 09:22.360]  But soon, you'll be able to use, like it says, a minisign keys or SSH keys or whatever
[09:22.360 --> 09:25.840]  keys we can find.
[09:25.840 --> 09:30.480]  As I said before, I would also like to have more apps that can actually help you and guide
[09:30.480 --> 09:34.360]  you in creating profiles so that it's not just for the very technical people among us,
[09:34.360 --> 09:42.360]  but also just more general that people can enjoy online identity verification.
[09:42.360 --> 09:47.680]  Another thing is for each website that we support, it needs to be programmed manually.
[09:47.680 --> 09:50.800]  We need to know the right APIs for every service.
[09:50.800 --> 09:55.720]  So there's a lot of work that goes into finding out how to do that.
[09:55.720 --> 10:01.480]  And of course, if a certain bird site decides to close their API, well, yeah, that is over
[10:01.480 --> 10:07.360]  then for those certifications, but that is their problem.
[10:07.360 --> 10:12.120]  So we need to, yeah, add support for more services and websites.
[10:12.120 --> 10:18.320]  And yeah, we should also play around with creating new websites, creating more clients.
[10:18.320 --> 10:22.760]  Clients can do a lot more things than just display a list of profiles.
[10:22.760 --> 10:28.960]  And these are things that should be explored, like different ways of using identity online.
[10:28.960 --> 10:32.200]  Actually, I did so myself.
[10:32.200 --> 10:37.040]  I created my own competitor, in this case named Kiyoksal Blue.
[10:37.040 --> 10:42.200]  And I just, yeah, like it says, I built this in an afternoon, and it's just that easy to
[10:42.200 --> 10:47.680]  get started with this ID because in the end, it's just an automation layer.
[10:47.680 --> 10:53.400]  And yeah, it was just a little quick test for myself to see how easy is it to create
[10:53.400 --> 10:55.360]  a new client.
[10:55.360 --> 10:59.120]  So if anyone feels like playing around with this, go ahead.
[10:59.120 --> 11:03.520]  It's a little fun, I guess.
[11:03.520 --> 11:09.280]  And the other thing that I quickly wanted to mention is to go further than just display
[11:09.280 --> 11:17.200]  a nice list of profiles and of online identities would be, what else can we do with online identity?
[11:17.200 --> 11:22.560]  And actually, a few hours ago, there was this presentation by Pablo, where he discussed
[11:22.560 --> 11:29.080]  creating CVs for developers in the end for more people, which is, for now, like developers,
[11:29.080 --> 11:31.080]  how can they share what they do online?
[11:31.080 --> 11:36.480]  How can they share their free open and open source contributions on different platforms,
[11:36.480 --> 11:38.920]  on different websites?
[11:38.920 --> 11:44.920]  So that is something that maybe we could explore using Kiyoksal as a back end to know who has
[11:44.920 --> 11:53.880]  done what and make a nice little CV of anyone's contributions to the open source world.
[11:53.880 --> 11:58.120]  And with that, I would like to thank Victor and Berker and all the other people who have
[11:58.120 --> 12:02.880]  contributed to the project so far, an illness for their funding.
[12:02.880 --> 12:06.920]  And yeah, if you like the idea behind this, do reach out.
[12:06.920 --> 12:07.920]  It's fun.
[12:07.920 --> 12:14.640]  And yeah, we're always looking for more people to get this field further.
[12:14.640 --> 12:15.640]  Thank you.
[12:15.640 --> 12:26.080]  Yeah, thank you a lot for that presentation.
[12:26.080 --> 12:30.920]  So we have now almost three minutes for questions.
[12:30.920 --> 12:33.520]  And after that, you will ask them outside.
[12:33.520 --> 12:34.520]  Anyone?
[12:34.520 --> 12:35.520]  Questions?
[12:35.520 --> 12:48.320]  So is this system dependent on a key server?
[12:48.320 --> 12:49.320]  And no.
[12:49.320 --> 12:52.120]  So the question was, is it dependent on key servers?
[12:52.120 --> 12:52.960]  In the end, no.
[12:52.960 --> 12:59.600]  So key servers are just one way of promoting, distributing keys.
[12:59.600 --> 13:05.600]  But there's also like WKD, web key directory where you can put keys on your own server.
[13:05.600 --> 13:08.280]  You could also share keys directly, of course, between people.
[13:08.280 --> 13:09.280]  Brilliant.
[13:09.280 --> 13:10.280]  OK.
[13:10.280 --> 13:16.120]  So have you also included key signing so that you can create a web of trust?
[13:16.120 --> 13:17.120]  No.
[13:17.120 --> 13:19.720]  There have been talks about that, you know, because...
[13:19.720 --> 13:20.720]  It will be good.
[13:20.720 --> 13:21.720]  Yeah.
[13:21.720 --> 13:28.760]  Yeah, of course, like the web of trust discussion, you know, that's, yeah, people like it.
[13:28.760 --> 13:32.640]  People don't like it.
[13:32.640 --> 13:36.880]  If you can make that socially easy for people, it's a big deal.
[13:36.880 --> 13:38.040]  Yeah.
[13:38.040 --> 13:43.400]  That is also something to explore, the social aspect between having identities and, yeah,
[13:43.400 --> 13:46.400]  because in the end, that's just another verification.
[13:46.400 --> 13:47.400]  Do people know each other?
[13:47.400 --> 13:51.240]  And then that, yeah, generates trust.
[13:51.240 --> 13:52.240]  Thanks.
[13:52.240 --> 13:56.840]  There was a few questions there.
[13:56.840 --> 14:00.240]  Yeah, there's a last question.
[14:00.240 --> 14:06.880]  Because also in that direction, do you have support for blockchain names or something
[14:06.880 --> 14:12.080]  like that, where the public key is on a chain?
[14:12.080 --> 14:14.240]  It should probably be feasible.
[14:14.240 --> 14:16.840]  We haven't looked that much into it yet.
[14:16.840 --> 14:21.720]  For now, we're just focusing on the basic platforms where people are and where you can
[14:21.720 --> 14:25.680]  just create an account and then, yeah, get some data back from an API.
[14:25.680 --> 14:31.400]  It should probably be feasible as long as you can, and as long as you have an online entity
[14:31.400 --> 14:39.640]  where you can put arbitrary data and you have a way of querying the data, everything's possible.
[14:39.640 --> 14:46.600]  It's just a matter of, yeah, send us a PR or send us an issue and let's discuss and
[14:46.600 --> 14:48.200]  we'll get it sorted.
[14:48.200 --> 14:49.200]  Okay.
[14:49.200 --> 14:50.720]  Thank you, Yarma.
[14:50.720 --> 14:51.720]  Thank you for listening.
[14:51.720 --> 14:58.720]  Thank you.