Hiya — So, I've just redeemed an alpha invite to a new service called Keybase (https://keybase.io) that I haven't seen mentioned yet in gnupg-users. GnuPG is pretty central to it, or at least it can be, and I'm writing mostly to get it on everyone's radar and register a couple of first impressions.
I'm also curious what you might have to say about the soundness of the "proofs" used by this scheme, whether the holes I've imagined are real, and whether I've missed anything larger. What it claims to be -------------------- From the front: "Get a public key, safely, starting just with someone's social media username(s). From there, unbounded potential!" "And have you ever been invited to a key party? Yeah, we neither :-(" The front page appears to describe, in some vagueness, a system of exchanging usernames that is somehow a suitable substitute for actual offline key exchange. (I find such a claim questionable; however, I haven't taken the time to completely map it out. But let's say some person other than me signs an assertion saying "My name is Eve, public key signature is ABCDEFGH, and @psmay is my Twitter account". Let's say, for the sake of argument, that I don't treat my Twitter password with the same respect with which I treat my passphrase, and the attacker tweets the assertion. Then, let's say someone else tries to look up a public key for @psmay and finds that assertion. Private messages intended for me are now going to my doppelganger. I think this serves to suggest that the assertion itself may tend to be only as strong as a weaker link than the signature itself.) (I'm also a little more offended than I should be by the key party comment. I ran one once.) What it actually seems to be ---------------------------- Keybase, from what I've determined so far, is each of * a set of client idioms for * direct exchange and verification of "proofs", i.e. signed assertions * authoring a canonicalized JSON assertion that an online asset, either cryptographic in nature (like a bitcoin address) or not so cryptographic (such as a social networking username), belongs to a keyholder * signing said assertion * posting a signed assertion (or some sort of surrogate signature sufficient to determine that such an assertion has been signed) to demonstrate control of the asset * Examples: * Control of a Github account is demonstrated by posting a Markdown document containing the assertion and signature as a Gist * Control of a Twitter account is demonstrated by posting, as a tweet, a truncated signature and a link to a signed assertion to which that truncated signature is associated. * verifying found assertions made by another user against that user's public key * discovery and exchange of proofs by way of the central directory implemented by the website * generic sign, encrypt, decrypt, verify operations, with asserted usernames as an available substitute for key ids * a command-line program, `keybase`, that implements the client idioms in terms of GnuPG * a web application, `http://keybase.io`, the also implements the client idioms * an online directory (also part of `http://keybase.io`) for discovery and exchange of proofs (which is intended, by design, not to be strictly necessary for authoring, signing, exchanging, or verifying proofs, but merely a convenient place for these things to happen) Of particular note is that the website itself implements the client protocol, though it is not the only option (there is the command-line client, and crypto operations for the website can also be accomplished through supplied, auditable shell commands involving gpg, perl, and curl). A user may post a client-encrypted copy of a private key to be stored on the server, after which crypto operations can be executed directly in the browser in JavaScript. (They acknowledge that "Some people have strong feelings about this, for good reason." I'm among them.) The players ----------- The co-founders of Keybase are also co-founders of OkCupid. As sketchy as that might sound now, the history of OkCupid reaches farther back to a pre-social-networking social networking site called SparkMatch, a subsite of TheSpark, with roots in the fabled academic communities of Harvard and MIT. Do with that what you will. Cheers ___ Peter S. May http://psmay.com/ A0E6 3851 9ABB 112E 7303 DD91 7A2E 91FB 7885 DAFC _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users