> On Nov 18, 2014, at 3:01 PM, Tao Effect <[email protected]> wrote: > >> And I will, as seems to be *my* role here, recommend checking out >> keybase.io, which you can use without trusting, and provides what smells to >> me like extremely practical probabilistic key<=>person mapping confidence. > > Keybase is about as good as you can get with a centralized system.
Storage and availability is centralized, but not trust. Clients don’t trust the server. And we write server state to the Bitcoin blockchain every 6 hours so the server can’t maliciously rollback (https://keybase.io/docs/server_security/merkle_root_in_bitcoin_blockchain) > However, it creates an system that ends up being not very user friendly > (especially when it comes to replacing lost or stolen keys). It's also a > central point of failure. Usability in the case of lost keys is ugly in almost any system I can think of. Our current plan is that if you lose your key, just delete your proofs and start all over. We do need better UX for that and everything else, of course. And we’re working on per-device keys for our next release. Keybase need not be a central point of read failures, since our API and public data are wide-open to mirrors. The biggest lock-in of Keybase is a centrally-managed namespace, but we’re hoping this is a worthwhile trade-off to achieve greater adoption. > And, for whatever reason, they replace personal everyone's email with their > own @keybase.io email address, so your emails all go through their servers. > As a centralized platform, I won't be surprised to see more of these > walled-garden lock-in type things. There are three cases. If you show up with your own PGP key, you can either push it to the server unmodified; or if you trust our client, you can add a [email protected] email address to your PGP key. If you don’t have your own key, we generate one with [email protected]. Our goal here is to prevent spammers from harvesting email addresses. We’re not 100% sure this is the right decision, but it seems like the polite one, and one that we can revisit in the future. Let me add my congrats to the TextSecure team, awesome news. BTW, if anyone wants to hack on Keybase, we have plans for a new application and a new release of all client software. We’re still a very small operation (2 of us) and self-funded, but we’re looking to expand aggressively in the coming months. E-mail me for more info and we can discuss off-list.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
