Keybase

[rysiek]

Dnia sobota, 17 stycznia 2015 11:22:02 Mirimir pisze:
> On 01/17/2015 03:52 AM, rysiek wrote:
> > So,
> > 
> > Mirmir wrote:
> >> | 13. Targeted attacks against PGP key ids are possible
> >> 
> >> This is an advantage of Keybase. Then we're not depending on the KeyID,
> >> or even on the fingerprint, but rather on an identity that's multiply
> >> and independently authenticated.
> > 
> > I keep hearing more and more about keybase, and I have a problem with it.
> > It's a centralised service, owned and controlled by a single entity;
> > moreover, the keys are tied to online identities controlled by corporate
> > third parties (Twitter, Facebook, et al). I don't see a Diaspora/The
> > Federation support, for instance.
> 
> As I understand it, Keybase is an API. The website/service is merely a
> demonstration. The developers are aiming for mass adoption, and so
> they've targeted the most popular sites. With some coding, arbitrary
> sites could be used, with two requirements. First, it must be possible
> for users to post persistent signed proofs. Second, it must be possible
> for the API to access those signed proofs, in order to verify them.
> 
> > My problem with this is two-fold:
> > 
> > 1. It might allow abuse, esp. MITM attacks. If Keybase becomes a /de
> > facto/
> > standard of acquiring keys, it seems trivial to me for them to replace a
> > valued target's key with something a LEA would provide.
> 
> That's the value of trackers. Those tracking such a comprised target
> would see that various public signed proofs are no longer valid for the
> target's key on Keybase. The adversary could alter all of the target's
> public signed proofs. But even that wouldn't suffice, because trackers
> have independent snapshot histories of public proofs. And furthermore,
> snapshot histories are embedded in the Bitcoin blockchain.

Wait, how/where does Bitcoin come into this? Did I miss it somehow? I admit I 
didn't dive into keybase increadibly deep, but still...

> > 2. It still promotes the closed, walled-gardens. Diaspora or GNU Social
> > support would not be that hard to implement.
> 
> Signed proofs could be placed anywhere that's accessible to the API. But
> that takes coding, and developers have priorities. One can request.

Right.

> Anyway, I've created a test identity: https://keybase.io/Proba. Once
> I've added enough proofs, and have enough trackers, I plan to mess with
> it by replacing the public key held by Keybase, altering some of the
> proofs, and so on. Then we can see how that shows up for its trackers,
> and for other users. I'll also explore impacts of malicious trackers.

Oh, great, I really appreciate that effort. Please keep me posted!

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20150117/8c534b98/attachment-0002.sig>