-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/24/2014 08:28 AM, Cathal Garvey wrote:
Wait, do you *have* to keep your private keys in keybase? I thought it was mostly pubkey operations?
I'm much more skeptical if they keep private keys, that's dark stuff. Imagine how many private keys are protected with terrible passwords, and what damage you could do to the WOT if you could just quietly crack enough keys in the WOT and use them to sign a fraudulent cert?
You don't HAVE to, but they give this possibility. You can (if you want) store your private key in Keybase. They ask you to cypher your private key locally and send it to Keybase's servers. If you don't store your private key in its databases, you are unable to use some online services they offer, like to sign documents. You only will be able to do that using his NodeJS tool. But, your point is my point. I believe serious security professionals or people that understand the importance of cryptography first don't will send the private keys for Keybase and, second, if they do, they will use a strong password. We never must forget http://xkcd.com/936/ But, we know average people uses very weak passwords and only one password for everything. So, as I told, a little bit of paranoya is good, and this "feature" makes me believe a little less in Keybase, unfortunatelly. The main idea is pretty good and I'm trying to implement this culture in Brazil for a long time, but I use to say that ordinary people don't like computers: they like Skype, Facebook, Instragam... So, people don't care about privacy. If the same people see that movie about Asange, or read his book, or see the last news about privacy and Google and start to learn about cryptography, they will store private keys with lame passwords, and we'll have this fraudulent cert risc. In my opinion, nothing will replace a good key signature party, anyway. - -- echo 920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P | dc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTqWejAAoJEG7IGPwrPKWrPgsIAJfKidpM828JdBNDnVVBUeWf ZD+Jj54+MM979mYKipLSD/fDGTv4RsUf6/qhgcdQyYNehVwA2q9vwoJAg6asn69+ 6/ypDzLVfH599Hq8b/EUQgBDxwgXzoeg0BOCuzSBY6axgmJclVZCQWpWto+8iEEb 9FpM1qIX6QLuUR9qhh1tahsYdWerQsbj55S31mwnkhkbNBteKJQHT3cLRbzEZpAM khFP/lK4xCmR3vAvQHszEN0mcvsxmieX4y3mrN9mYCHsFNhLGuKo2mNfIk4oIxt2 eFsCm+tJTQgYJ1byw6Oxzc970J0tR/cjSwZd0DDssDc3muRXhZQGrmNXeTnUdU4= =0lT5 -----END PGP SIGNATURE-----