one-of-us.net — manual

The one-of-us.net phone app is meant to be simple. It creates, stores, and lets you to sign statements with your cryptographic public/private key pair. The private key never leaves your phone (only delegate keys do).

- Sign and publish trust statements referencing other folks' public keys thus forming our cryptographically secure, web-of-trust.

- Create disposable, delegate key pairs and allow other services (the Nerd'ster) to state stuff on your behalf.

The statements are replicated to the cloud and are meant to be portable and available to be read and trusted by any one or any service.
For example, my one-of-us statements are here:
https://export.one-of-us.net/?token=2c3142d16cac3c5aeb6d7d40a4ca6beb7bd92431

Beginner: Trust folks (join the network), Sign in to the Nerd'ster!

Until you trust someone else on the network, your network will be empty (and useless).
Until someone else on the network trusts you, you'll be invisible to the network (and useless).

Trust someone

Options:

1. Meet them in person:
   - Click on the "person add" icon on the main screen of the ONE-OF-US phone app, and use your phone's camera to scan the QR code on the main screen of their ONE-OF-US phone app.

2. Use email, text, or something else to share public keys:
   Folks can share their public key through the menu "/etc/Share my public key/QR code":
   Ask your comrades and associates to share their public key with you. View the QR code they sent with you on your big computer and scan it with your one-of-us phone app.
   
   

Once the app has initiated the process of signing a trust statement, fill in the field "moniker" (typically first name) and optionally "comment", click trust, approve, congratulations!

-- let your associates trust you

Do the reverse of the above.

Until someone on the network trusts you, you'll be invisible to the entire network, and so this is important.

Delegate sign in to the Nerdster

Access the Nerdster on a computer web browser:

1. Find it at https://nerdster.web.app/ or wherever else it may be embedded, such as https://aviv.net, https://nerdster.org, etc...

2. Find the top left menu (it should say something like "Viewing as Tom") and choose "QR sign-in".

3. The Nerdster should now display a QR code to be scanned by your ONE-OF-US phone app.

Use your ONE-OF-US phone app:

1. Click the sign-in icon on the bottom right of your ONE-OF-US phone's main screen.

2. Your phone may ask you for camera permission, allow it.

3. Use your phone's camera to scan the code on your computer with your phone.

4. If this is your first time signing in, the app may ask you if you want to create a "delegate key" for the Nerdster. Do that, and confirm the process.

You should now be signed in and centered as yourself on the Nerdster.

TODO(aviv): Write a Nerdster man page and link here.

In case you don't see any content, you probably don't one-of-us trust anyone, and so your network is empty.

Statement types

Statements are signed by your active ONE-OF-US public/private key pair.

The subject of these statements is always another public key.

The verb tells us what you are stating about that other key: trust, block, delegate, or replace.

Form the network: {trust, block}

The trust network is defined by the trust relationships.

In case of fraud or mistakes, a block may be required.

--moniker

A moniker, typically a first name, is required in trust statements.

Authorize other services: {delegate}

Your ONE-OF-US key pair is your identity, but you can also create disposable "delegate" keys to hand over to other services to state stuff on your behalf.

--revokeAt

In case of lost or compromised keys, or in case a delegate service misbehaves, you can revoke the key you gave it.

That is done by issuing an overriding delegate statement, this time with revokeAt set to the last valid statement so that whatever statements that key signs after its been revoked is not to be considered as valid.

Maintain your identity {replace}

In case you lose your phone, reinstall the app, or have your key compromised, you can replace your key.

The goal is to maintain your identity even though you'll be using a new key. The statement you'll state with your new key is something like, "This new key of mine replaces my old key as of this particular time".

All of those you've trusted or blocked with your old key will be understood to be trusted or blocked by your new key, and the goes for delegate keys, folks who've trusted you, and even older keys which you've replaced before.

--revokeAt

A revoked at last statement token is always required for replace statements.

Mechanics of using the app

The app lists all statements made by your active and replaced keys in 3 groups: 

• {trust, block}: the subject of these is someone else's key

• {delegate}: the subject of these is a key you've handed over to another service.

• {replace}: the subject of these is an old key of yours which you've lost or retired.

Overwrite (re-state) or clear (erase) statements

One key's disposition towards another is singular, and so if you trust a key and then block it, only the most recent statement is your key's disposition towards the other. The "clear" verb acts as "erase", and so if you trust a key and the clear the key, it's like you never said nothin' at all.

And so whatever you do can always be undone.

(If you lose your private key, then it's more complicated, but there's a path for that, too.)

You can re-state any statement by finding it under the "state" menu, clicking its box, and updating its fields ("moniker", "revokedAt", or "comment").

This will override whatever you previously stated.

You can also clear any statement (similarly, find the statement and the choose "clear").

Novice: Maintain your own keys

Phones and keys can get lost or hacked.

When you create replacement keys, you need to take a few steps so that your network understands that your new key still represents you.

your one-of-us identity keys

Don't lose your one-of-us key and don't get hacked.

In case you lose your one-of-us key or get hacked, you can replace your one-of-us key. 

You do this by

• creating a new one-of-us key and 

• using your new key to sign and publish a statement that it is a replacement of your lost key

But immediately after you do this, no-one will know that you've replaced your key. You'll need to reach out the folks who trusted your old key and ask them to trust your new key.

Once some of them have done that, the others should see a notification on their Nerdster that an attempt has been made to replace a key that they trust directly, and so they may possibly reach out to you to confirm that before you reach out to them.

To actually get started on this, use the state / replace menu on your one-of-us phone app.

your delegate keys

In case you had to replace your one-of-us key, then you should use your new key to state that your old delegate keys are associated with your new one-of-us identity key.

Delegate keys for which you still have the private keys can be used by importing them.

Delegate keys which you don't have the private keys for can and should still be claimed by your active one-of-us identity key.

In case you suspect that a delegate key has been compromised, then you can re-delegate it and revoke it as you do.

Advanced: Maintain your network

Identify and block bots, bad actors, or careless humans

This is your network.

Blocking a one-of-us key is harsh!

You should only block a key in case you have strong reason to believe that the key

• does not represent a real person

• or maybe it does represent a person, but that person is not acting in good faith (eg. blocks indiscriminately, trusts fake "Elon", etc..)

• or maybe that person trusts too carelessly or just doesn't get it (eg. scans QR keys from Instagram)

Help folks you trust maintain their keys

If and when one of your trusted associates loses their key, they'll need for you to:

• create a new key

• use their new key to state that their new key replaces their old key

You'll need to:

• trust their new key

• clear your trust in their old key

• and possibly to advise them on how to do all this. Please do.

/etc

Copy/paste instead of QR

I use copy/paste instead of QR mostly during development, but there may be times when the text version of the key is more useful (maybe hard to point the phone camera at the same phone's display, for example).

Most UI gestures that scan for a QR code also have a paste icon to accomplish the same.

Pitfalls

--DO NOT: Block people you dislike

or those views you don't appreciate.

Those are real people, and they belong in the ONE-OF-US network. Istead, block them for Nerdster-follow, censor their content, etc...

--DO NOT: Trust folks by scanning their QR codes from the Nerdster

If I get a text from an unknown number saying, "Hey, Tom. This is John. I had to get a new phone plan, please update my number in your contacts.", I'll want to speak to him first, right?

If you need this explained further, then sorry, buddy, you ain't nerd!