[LCA2015-Chat] Keybase.io invites

Delan Azabani delan at azabani.com
Wed Jan 14 21:39:16 EST 2015 

I agree with Fraser's summary of the service.

To clarify, for every operation that requires your private key (i.e.
signing a key, signing a message, or encrypting a message) you are
presented with three options:

a) Use Keybase's (presumably JavaScript) implementation of PGP to
do the action in your browser.

This uses the private key which you have stored with Keybase.
Uploading your private key is totally optional, but it's required to
use this option. While your private key is ostensibly encrypted using
your Keybase password, for this you must trust Keybase and their
server code.

b) Use Keybase's CLI client to do the action locally.

This does not require you to upload your private key. The client's
interface is trivial to use (e.g. $ keybase track delan) and the
client is open source (among other repositories on GitHub/keybase).

c) Use a completely transparent shell one liner.

For the truly paranoid (wise?) Keybase can generate a pipeline for you
to inspect and then dump into your shell. The command takes the form:

$ echo ... | gpg -u ... -a --sign | perl -e ... | curl -d ...

Unless I'm missing something, this final option requires no trust of
Keybase or their code.

P.S. — I have three invitations available. Hit me up!


On Wed, Jan 14, 2015 at 11:23 PM, Steve Walsh <steve at nerdvana.org.au> wrote:
> On 01/14/2015 11:09 PM, Fraser Tweedale wrote:
>> I view it as, and use it as:
>>
>> a) a directory of cryptographically strong assertions binding social
>>    network accounts to OpenPGP keys, and
>>
>> b) a convenient tool for generating such assertions
>>
>> The assertions themselves are not stored in keybase.io and are
>> verifiable and meaningful on their own.
> AIUI (and very happy to be corrected on this) the cli client will look
> for the identifying posts on each proven identity (ie - it checks for a
> particular twitter post, a particular post on your github profiles,
> etc), and will notify the people following your verification status if
> it changes, thus giving a solid time stamp at this which this identity
> should stop being trusted, and at what point it can start being trusted
> again (should you chose to do so).
>
> The github identity, for example, provides a useful way for those who
> sign code to confirm that the code submitted up to a certain point is
> (for given values) certifiably from the person committing it, etc.
>
>
>> Some people I spoke to expressed concern about keybase posessing or
>> asking for one's private key.  I either did not encounter or
>> summarily ignored and subsequently forgot about any such aspect.
>> Perhaps others could comment further.
>
> I'm boarding the Nope train on that aspect of it.
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lca2015.linux.org.au
> http://lists.lca2015.linux.org.au/mailman/listinfo/chat

More information about the Chat mailing list