Connecting your social profile with your OpenPGP key

Keypan screenshot What's the best way to let someone discover your PGP key if they only know you via a Twitter, G+ or Github profile? Add your profile url as a user id on your key, and publish a fingerprint on your profile site.

For example, here are some fingerprints published on Google+, on Github and on Twitter.

Clients can now search for keys in the distributed keyservers say, by a github profile, and only pick keys that also have a matching fingerprint on profile sites linked from the key.

Is this a fully reliable proof of identity? Not really, as someone could have hacked into one of these social media accounts and altered it to a different fingerprint. But it has a similar degree of assurance a service like keybase offers, namely that a person who controls the key was also in control of the profile site.

This simple technique however doesn't need the complication of an additional service like keybase, as clients can directly use existing (and distributed) keyservers to find keys and check for confirming fingerprints directly on profile sites added to the key.

I've implemented a sample client which does just this. It has a CLI as well as a nicer-looking web interface from a locally runnable web server.

keypan web

Given a profile URL, it searches and then automatically looks for matching fingerprints in profiles linked from the key. The github page has more details as well as instructions for publishing your keys with gpg using this technique.