search

keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
902 stars 37 forks source link

Feature request: add Threema ID proof #810

Open sndrsmnk opened 10 years ago

sndrsmnk commented 10 years ago

I would like to be able to add proof (claim) for Threema IDs. Kinda like bitcoin, but more useful imho.

Publishing a signed statement of your Threema ID, fingerprint and QR-code, something like this, should allow your friends to scan the ID in their Threema after verifying the proof!

sndrsmnk commented 10 years ago

---Actually all you really need is the Threema ID itself and the fingerprint + a GPG signature. The CLI-tool could provide the QR for the fingerprint using libqrencode and show it on a terminal.---

No. You need to scan your own Threema QR to obtain the correct content to reproduce the QR. The content is in format of '3mid:yourid,sha256sum' and i'm not sure how that sha256sum is calculated.

I screenshotted my Threema ID and scanned it with Barcode Scanner by zxing to obtain the correct content.

zQueal commented 10 years ago

There's a nifty little library to create qr-codes via commandline--so this should actually be pretty easy to implement on keybases' side.

It would look like this.

qr

sndrsmnk commented 10 years ago

Yes. Except for the QR to scan correctly in Threema, the content needs to be '3mid:IDHERE,SUMHERE'.

"3mid:D4FJHK8P,f23231b0158ec5d8135d07b926320c964fd2af5b100533537012ca124e92d648" for my ID, for example.

I'm not sure how that hash is calculated. It's not the literal fingerprint. I got this by scanning my own Threema QR. :)

zQueal commented 10 years ago

I just tried this application for the hell of it, and it's pretty great! I won't be using it, though. It generates a key--but why do that when I have my own? There would be no need to do a verification process if keybase could see that the key being used on Threema matches your keys fingerprint in a simple and automatic verification process--or you can simply sign a statement (like with current verifications) and verify that way. The only difference is there would be no public record (aside from keybase saying "Yup, this is him") that the identity is valid.

Also, the qr library can do any number of things, so for example here would be a formatted QR code that should work with the Threema application.

image

Also that, and with the help of phone based GPG encryption applications I was easily able to sign my Threema ID with my public key:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

HMCUVPXJ 
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP Keychain v2.7

iQJCBAEBCgAsBQJTpxOOJRxaYWNoYXJ5IFF1ZWFsIDx6YWNoLnF1ZWFsQGdtYWls
LmNvbT4ACgkQsdpW3Lc+hRZ6tg/9HyCFyhsv2o3U62rR47E/oMp4Cx3bJZLc1L1b
9wBP/ObT1jZi04A9prJ1mMJ7fcLyPXRLi32fN25OJQ2i6bU1nmjH/REdjKxn3kqu
X8NNNzXZ6q3TnWRW0QQRX4MZqIAxkB15wAZCKufrpOejxN85d00Gbe2PYqvMelJL
PSo7CEczanEXQ4r76q7y8sgD8y7kbF4rhVRE7H4uNdnxdTkv4fMZrNd9ixCUmTJv
o0Rwl3ODxeXZvjEhZAZBosAHaNissL9r6iJWjcPI5WAX625UnHNHI0HLqtu3wNRe
0ITzWA21zG5yoA26VIFvRQIvF+YXZpBP594Si36vVHVjKHY2BaLqJjoMD9UHDUt+
gLs1aCeHKVczdGB/dBFdafE8JkylU7nbUHsmyKUZ4aTUFIQ/W0uRfxlIze/q/qXy
3yfP0sS4FQZuL7xtn6fYkj57ec/MqSbtWYWuL/XReNn9+pk1pETvCn8Y6xGCTyJU
ecnAqX2qfmkCg8P9UMyGPWPdJ90JwGnQCPSUI0oJZP4yeImKtf7PrnOl8fnf5boS
q+eJ+texVg0zIpLhOTI8TxhgusipWbaH0CvHgWWcPaPHOO7vos6fDGiwN8wlmNlG
79fu/Iv/6QLeTLd939ClTGlXsbJg/zDaIHDqcb/uxEs6n0BoVpM4syHN/YRF62aM
W5QtREw=
=koXV
-----END PGP SIGNATURE-----

Again, my only issue is that I can't use my own private key to generate my Threema ID.