Pond and Keybase [was peerio.com]

[Cathal Garvey]

 > How about Pond as email replacement?

I've looked at Pond long enough to see that it calls upon Tor for most 
of the anonymity heavy-lifting, and that it is clearly targeted at 
technical users. Most of the people in my life who I speak privately to 
are not technical. I don't think trivial UX is near in Pond's 
development roadmap.

 > I'm curious what you (and others here) think about Keybase, which also
 > seems heavily targeted at normal users. There was some discussion here
 > in mid 2014, but Keybase has been tweaked a lot since then. I'm quite
 > impressed with its usability, but I don't have the expertise to properly
 > evaluate its security. I am uncomfortable with the option of uploading
 > private GnuPG keys, and counting on symmetric encryption for securing
 > them. Better I think would be helping users understand how to properly
 > migrate keys between devices, or perhaps to use smartcards.

Keybase could have been a great way to encourage PGP uptake among normal 
people years ago when things were accepted to be difficult universally, 
but PGP's days are behind us. PGP makes a good way to sign code but 
remains a terrible way to communicate securely, because although it's 
"uncrackable" when used correctly, it's very easy to accidentally screw 
up using PGP on either end of the conversation. Also, the lack of PFS 
ignores parts of the modern threat model that were speculative when PGP 
was created.

Suffice to say that, even ignoring the issues with Keybase encouraging 
key escrow by "allowing" or encouraging key upload (!!!), I don't think 
it helps. Perhaps as a basis on which to build a web-of-trust that can 
be transposed into newer cryptosystems, but the key escrow part makes 
falsification of trust a real possibility.

Anyway, maybe that's just me.

-- 
Twitter:  @onetruecathal
Phone: +353876363185
miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
peerio.com: Use email or phone. Uses above miniLock key.