My contact card contains information needed to send encrypted messages to me and verify signed messages from me, including my blockchain ID, my OTR fingerprint, and my Signal fingerprint. This information is signed with the most up-to-date PGP key that I have linked to my blockchain ID. This short guide will tell you how to verify that the information contained in my contact card is really from me and not a man-in-the-middle attacker.
Step 1. Verify my blockchain ID.
First Person Verification
The most secure way of verifying my blockchain ID is to ask me what it is in person or on a call, and verify that the spelling of the full blockchain ID is correct. This is “first person” verification. In this case, I should tell you that my blockchain ID is lightcoin.id on the Bitcoin blockchain. As long as you trust me to tell you the correct blockchain ID, and as long as you trust that the private keys that control ownership of my blockchain ID are under my exclusive control, you can trust that any information linked to my blockchain ID was put there by me.
There is a less secure way of verifying my blockchain ID that could work in a pinch if you’re willing to extend a small amount of trust to independent third parties. If you know and trust my social media accounts, you can use the accounts that I have linked to and verified with my blockchain ID to come to a probabilistic conclusion that lightcoin.id is really my blockchain ID. In this case, I have verified both my Twitter and GitHub accounts. The only way that these verification messages could have been faked is if both my Twitter and GitHub accounts were compromised, and either I didn’t notice or no one else noticed and bothered to tell me. It’s up to you to decide what the probability of such a series of events occurring is before you can decide whether to trust this “social” verification method.
Step 2. Look up my blockchain ID to find my public key.
This step has a number of sub-steps.
- Download and install Blockstack Core. This will work best if you install it on your own server, either a personal server you run at home or a server that you rent in the cloud. Instructions for installing and running Blockstack Core can be found on the GitHub page.
- In your terminal window, run Blockstack Core and enter the lookup command for my blockchain ID:
blockstack lookup lightcoin.id
- Compare the public key fingerprint that Blockstack Core shows is linked to my blockchain ID to the fingerprint of my public key linked here. If the fingerprints match, then you have the right public key.
Step 3. Use the public key linked to my blockchain ID.
You can now use the public key that you confirmed is linked to my blockchain ID to verify signed messages from me and trust that the messages were actually written by me. It does not matter where the signed messages are hosted – as long as you can verify the signature with the public key that you found linked to my blockchain ID, you can be sure that I made the signature (assuming, of course, that you trust me and trust that my private key has not been compromised).