A little housekeeping. Due to hardware limitations of the server and concerns about the SKS software/protocol, the Philly Mesh keyserver will be offline until further notice.
Now that we have erected an SKS keyserver, I invite everyone to sign the Philly Mesh GPG key to help verify our identity. There are many GPG/PGP applications out there, but below I will provide steps for the
gpg utility available on many POSIX systems (Linux, Darwin, etc.). Ideally, with enough signatures, the Philly Mesh key has a higher probability of entering the Web of Trust strong set, the largest collection of strongly-connected gpg keys.
Receive the Philly Mesh Key
Before you can sign the Philly Mesh key, you will need to download it to your system via a keyserver. Here is an example using the SKS server pool:
$ gpg --keyserver pool.sks-keyservers.net --recv-keys 0x8f5b291d3a3ca65a gpg: requesting key 3A3CA65A from hkp server pool.sks-keyservers.net gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
Now, you should be able to list the Philly Mesh key in your public keyring. Make sure that the key has not been revoked and is not expired:
$ gpg --list-keys 0x8f5b291d3a3ca65a pub 4096R/3A3CA65A 2017-11-25 [expires: 2027-11-23] uid Philly Mesh <firstname.lastname@example.org> uid Philly Mesh <email@example.com> uid Mike Dank <firstname.lastname@example.org> sub 4096R/1744B74A 2017-11-25 [expires: 2027-11-23]
Before you sign the Philly Mesh key, you want to make sure that it is actually owned by Philly Mesh. For some people, this is as easy as asking me online somewhere or in person. For others, you might want to check the verifications for Philly Mesh on Keybase which shows that this key has been verified by the
phillymesh.net domain. For those who want some instant verification that this key is associated with the domain
phillymesh.net, you can query against a DNS record on the domain which holds the key’s fingerprint.
First, let’s see the fingerprint for the key you have just received:
$ gpg --fingerprint 0x8f5b291d3a3ca65a pub 4096R/3A3CA65A 2017-11-25 [expires: 2027-11-23] Key fingerprint = C58B 0431 C815 F315 7310 0959 8F5B 291D 3A3C A65A uid Philly Mesh <email@example.com> uid Philly Mesh <firstname.lastname@example.org> uid Mike Dank <email@example.com> sub 4096R/1744B74A 2017-11-25 [expires: 2027-11-23]
Now, let’s query against
fingerprint.phillymesh.net, which pulls a live
TXT record set up on the domain housing the trusted fingerprint:
$ dig +short -t txt fingerprint.phillymesh.net "C58B 0431 C815 F315 7310 0959 8F5B 291D 3A3C A65A"
The fingerprint from the
gpg --fingerprint command should match the result from the
dig command. If it doesn’t match, don’t trust the key. Someone may be in control of the
phillymesh.net domain and try to get you to trust their false key.
Sign the Key
Now, you are ready to sign the Philly Mesh key. At this point, we assume that you have already created a key of your own. While receiving the key in the initial section above, we also assume you have made sure the key has not expired or been revoked.
Sign the Philly Mesh key with your own key, following the prompts as they come up. At the time of this writing there are 3 uids (email addresses) associated with this key (listed below in the command output). They can each safely be signed:
$ gpg --sign-key 0x8f5b291d3a3ca65a gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2027-11-23 pub 4096R/3A3CA65A created: 2017-11-25 expires: 2027-11-23 usage: SC trust: ultimate validity: ultimate sub 4096R/1744B74A created: 2017-11-25 expires: 2027-11-23 usage: E [ultimate] (1). Philly Mesh <firstname.lastname@example.org> [ultimate] (2) Philly Mesh <email@example.com> [ultimate] (3) Mike Dank <firstname.lastname@example.org> Really sign all user IDs? (y/N) y
After signing, send the key back to the keyserver so the signature is recorded:
$ gpg --keyserver pool.sks-keyservers.net --send-key 0x8f5b291d3a3ca65a gpg: sending key 3A3CA65A to hkp server pool.sks-keyservers.net
That’s all it takes! Your signature will now be recorded and the record will update across all keyservers in the SKS pool. You can check that your signature has been recorded here (it might take a few minutes to populate).
After a trial run of setting up a keyserver over the summer, I am now making the Philly Mesh OpenPGP Keyserver public for all to use.
The keyserver currently runs SKS, and is ideal for uploading or downloading gpg/pgp keys. A great feature of SKS is that it has what are known as “gossip peers.” Gossip peers help with the transmission of keys uploaded on each node by sending them to all other nodes they gossip with. This creates a web that allows all nodes to communicate and transfer keys through one another. Ultimately, if a key is uploaded to one node, it will end up on all of the others in the network.
The Philly Mesh keyserver, available at gpg.phillymesh.net, is now part of several official server pools run by sks-keyservers.net. If you currently use the
gpg utiliy, you may already be accessing it!
Of course, you can always use gpg.phillymesh.net specifically instead of via a server pool. The server has unencrypted HKP available on ports 80 and 11371, and encrypted HKPS available on ports 443 and 11372.
Additionally, this keyserver is available with HKP access over Hyperboria at the address h.gpg.phillymesh.net, and over the Tor network at the address phillygoh7mkcb44.onion. HKPS is not necessary over these networks as they are already end-to-end encrypted.
Here are some examples of how to access the keyserver:
# Clearnet access over HKP (IPv4/IPv6) $ gpg --keyserver gpg.phillymesh.net --recv-keys 3A3CA65A # Clearnet access over encrypted HKPS (IPv4/IPv6) # Note, you may need gnupg-curl, not just gnupg # Do: sudo apt-get install gnupg-curl $ gpg --keyserver 'hkps://gpg.phillymesh.net' --recv-keys 3A3CA65A # Hyperboria access over HKP $ gpg --keyserver h.gpg.phillymesh.net --recv-keys 3A3CA65A # Tor access over HKP $ gpg --keyserver phillygoh7mkcb44.onion --recv-keys 3A3CA65A
Philly Mesh now has a public GPG key that you can use for any email correspondence you would like (it is completely optional to use). Using GPG ensures that Philly Mesh will be the only entity that can read any email you send. The 4096-bit GPG key has been uploaded to the MIT Public Key Server, and can be checked here, where you will also be able to see that it was signed by me personally. Additionally, you can also see the key over on Keybase.
Philly Mesh now also has a ProtonMail email address at for any sensitive matters that you do not believe can be discussed through any other email provider. The address for this account is at email@example.com.
In our ever-changing world, you never know who or what may be reading.
For easy access, the GPG key is pasted below!
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: SKS 1.1.6 Comment: Hostname: pgp.mit.edu mQINBFoYuJsBEADHdInKFQwAgbUeuo0bkMzaGCbirz0iHwWa8webtZZw9qe8y0qjmmPQU2/Z RaOOR0qCIA3HVn+BkE1vhHduZbkZ02NFEcEA4Vr5Z0c6CTmddtY0gBznSTss9rrTRDtEUGQc bvB7mw9Fa5IfJ7HDPQM+bPg8BtjaxNl6vSG5TSGBk+dW6GdBvTikkYU8MLJLlFQmG0PnXKx1 lHVOQ7IdzxoHD+tdqYDKDQbh0tq/v6SnUgmkw0pUfTmYxswuRQZbCg7UNuMxf3qKgdJ9NiCs 5WjwlAp1hC56JBNtl8++4QOmN0o3BX4U2UKb/3cPBipjjR3Li+E06TUEyl0StAoddilii5dl xPHeLNWsgHHcKkhuLXZt65obeDY7roZwxKB6CnxVgQ9LvI2itIBu9Ewhj3NufjEdAS4u2FVO SKCljfm00QyMZQM6ePaHhdX9QqLv64RjoKYOVnUKXA6ExGLjOQPrBb6dVP2zZdSnxZBzrfwI mE/bSVqeMpIE4QpeRxlLHic4ODCOBmUFCMGnnKYpFfY82xTeaHzDUSP2N2UpaL0VtKmClR4o NpTQJRAYAMtkhG3MgfgjzhFQB5qeFIMSJrjsm9B37GsfHzsuoSyLz79qp1xOEZDjWJe3XWA2 5tFiHC3zV9guGipmCvAqs/4Y0+oLgL61T/6sIJI/30VBR34m9QARAQABtCJQaGlsbHkgTWVz aCA8aGVsbG9AcGhpbGx5bWVzaC5uZXQ+iQIcBBMBAgAGBQJaGL8vAAoJEBYZrk188qj3ZNYQ AMuF3htOAan2OTU28PZz9gTfACPLrthkGBHgphTOflTEEbgiZgqIvL89SSOuaeY/lehz3FLS Jsqym6WXlpwDt3qxGU5I09zk05vOoAQGgyA/bUdj7gS4oACHhR8d5NgVWHfZCJdl9wnjwdvJ zjECvcHRda7ke951bjoTfxkV7HzIwXk94yYRRnKemyhFUt8qwEGD/7vOE6eh3pJxAfTT3fbC amQ55znREwHQnhkenCg6QldBl1FWmzFQ7z9q5cwGqtQ0KyjWYTpCEgqz/qOEbPfaFnStJX39 vWKT87dK//Gg6mFCabIUp0bvh5mSdRe215iaIPPrnVSDPBBkpu8Z88DDFNo/IFPh+ZkUbtW3 7/zJ9bxRQKsN45yVa99f+6nLKniKl909KQDjRMXXmV3YP3dmz3BLgw0qXzDMRQB55qXHK+fG iyBfUUC2jIIiLvFc38TIaDn2fbrnwIBWuBUXBSpVIQEgYD5U8Gv7DL8C19zyw2phivSl0y9n 7YNVmJru0sENYaemJkyCFK6GcJyWkT0MvCyMGF0aQDO69QjrnOeOxkfsbW+b9EOGVZO18K1S zOJXOVM9kBkwF2eeJsiJvKFxHM5qrZzneyu4OyWsVaN+rfCErHfgcdAxh0EVYPYNheV5EhYd 8jXITMAJptqDAzn+8o6eMFSoOtzir1fteOSCiQI+BBMBAgAoBQJaGLibAhsDBQkSzAMABgsJ CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCPWykdOjymWraQD/9Z3WFVP9m3/JkXdZYhiv3/ ue4ZRwO5/1x6V215V7QMAJV54ke4JynOuP71Ip4J+025XKe5kZMXbHdB8hrA3e3uBaqiG6NJ p6gF8gYF9PIzdtB/wivc2wigGfb6yOcH2Ckg1k373oyrl/aI9E+RroC0k+W/X2HLF6EBC7sy fDCUTgxu9fgr7R0wXiHiWqfm8JX3Fc0mihx+ek4EiCgzwwRzDPz/0F85PxNZB9bXZ1OLcTno 49r6Z4/rqjMYebwPAaWGIbSZbd87ivPpzYjot+nNg6Zg5TPDGFQ/lW7L73uD8xpnIJbvX7sK VX7Z8bAs02KphBlnznH3qihrFEIKc+S+6ka5a6QnWMbeWSpfvP382m3EIOnfw0xHG5c/MsW9 wTK3P0y03paVAdZkGOnfvmTRWF4TCgGPXNjTWJB1A4N9wwkmO8uK4NlOTqimOK1bCiNcrwwR YhM1vyQiK5CGLlG/TuFE7UE34wckBQhxlQeLaO+Mytzdztq6S4zfMC6nwiWsKfJ/F42D7ReS D5E84PSaSFp5pN66g/zahag5ub7sB37B5PiX7ifJCQk4u28iep23yQIQKHTjDDjNYAZECiFv HXCHnWY4MGMWm0j+EvLM5PD3PxWenJezpDEWt87f//ZB5xRnHI7w+SxmmY++FkvCs1wdrhOb H2mHLk9ZrShaI7kCDQRaGLibARAAwvMQeR2ji7pMNLmTVXQ5+JdtuVTFEWn4319hhx4a4Pqg 89c7glQysiTohtUkWZ8TYfWP8tXjr5XnEjxKaHYhB5BvAtU5LOAMJzbVFIv535/3bVVZCDua 8EV4DW8R1XH/LoqTi+WdszC0/cZzPPkO/g4A+5c8zVOTeP3MJ4QV9I8nCjNtsiAwAv95cW6J Fl6fkbyDnmhC7vLE8oj8IAs2PC1r1s+lT1CVhdNQzeiFOr+ILY0DiXOlNyUN88SigZF1QEdg TsyyNaXuHj++kZqJqVok/Xs0rZBI2QZRTSc4/ZRKSSEZWL07v1svfbTGWEuQtZigAk8mvNhe 0vq8PxsGg86kfUgTyMYIlJpDPrdfJPSNRlywMx1ZGx5hCw5OaVAqeRzn+N74KTmL1aYIi2RO fknBj4i4W5PbYwNVRRp/m5vyr1FQDwrURstVK4o6Xf9UlMMj962fp/d9KQmk3TXpjqkx3SVL 8B/RCKn83Xf0g3jx85pOUybIDoe6H/SP+XO4xsitrw0vrDDoybH7vpJ3Tc4V6XbVcUgmuyk0 TP8qj4ow09OO2uIW6J8BlEuJBzO40TaOrhNMjKd7IjL5Pp1uWn6jxWgNLxc96fP6lp8m7lQ9 bs2yskbqXtDDpQMCXAFfnfHt51B1+nox3PnV0zXE3/xhcvyNtkTYrS3uHjDLYSMAEQEAAYkC JQQYAQIADwUCWhi4mwIbDAUJEswDAAAKCRCPWykdOjymWtPmEAC1vDsE3W7MqkM2WJM9/1dg 0crnyFtjdQifMluSfZGZHSowbcK+DsgNzSRJUnTpTo5hRsrGDAQwuAwOCnLtHloGRF+4lvdA 6eRzYpZsVUOxo3zgPabCagnbVudOD0EOh8Akj4r0nonG5XNZWOevQU+B7Nq7aY5wb+NqUtH6 WVTuoefVrqqWpWbazar/FeQLiXgxliYEpQYUvFvuQDxlN+A++SCp+8uFIrghX8vRgp0Lffzj P/Qi7OWlbG36DlO1r8jpHrszo6TgTZX2BHM6Pp8l2bBtMoAaZBEGNW3mk1qKQF7vFhxb54b2 wTgTIEeNlNvMiaZmlNDXicjkuwDNfrSVqWNZm6cjH6m0jfQPx+VoMeuSu3shqUwDjbdZCc++ fX0XaJSqdsRkSllaMnxcPSPTFrBqwqrp3vSMi6jWL4zpJnNt6VCYkBFN+a3wOA1jW7mZ2sLS 94Mi31vN34m01Pz/qquyaipESiVwQDBVp9234y1LonbNfiCgU1gmaxnYZjAnrdMMBwqZ+wYa 6nESOo+wtFjGHD5VB6458rdUEpz3dzu/yQdApZC3fSCpDuhZe0pmCUUzeHwbtYdAMN8Lepmz ELioqjHpcQjfRnQdaGx5pBJOAa9n/2ognHtZg+c/uDsRCxpDBT5IUFPQmMNfhoZ369t05CnR h4zfJhLjmWbS0Q== =EuqL -----END PGP PUBLIC KEY BLOCK-----
The Philly Mesh website is now available from Hyperboria. The new subdomain h.phillymesh.net will resolve to [fc4a:cb93:88dc:32e1:43ec:e1b8:2b45:dd46] and is available via both HTTP and HTTPS:
As cjdns encrypts traffic end-to-end, standard HTTP should be acceptable in most configurations. You will want to use the HTTPS link if you connect to Hyperboria via a cjdns gateway on a different machine or if you share the machine running cjdroute.
If you do use HTTPS, you will likely get a warning from the browser that the cerificate is invalid as it is issued for an IP in a private address space (as all Hyperboria addresses are). Be aware, there should be no issue with this certificate. In the future, I may go through the process of configuring a CA for phillymesh.net (self-signing a cert for h.phillymesh.net and distributing the root cert, signed with my GPG key, but don’t find it necessary right now. The current certificate is issued by Let’s Encrypt.