If you want to send me encrypted hate mail (please, please, please do not send me hate mail) you don’t need a GPG client installed. It actually makes sending encrypted messages dumb easy. An account without working proofs – or worse, with proofs that are marked as invalid will then set off red flags for anyone searching the database.īut it does more than that. This means that if you ever lose control or ownership of one of the sites and services, you can remove it from Keybase, and if you get locked out of Keybase account you can just delete all your proofs. That message is to remain on our account and/or server and be publicly accessible. Which is why they require you to prove the ownership of the accounts and websites you register with it by posting or uploading a signed payload message. Keybase doesn’t want to be a key authority – they want to be a public directory. After all, it is just a random project threw together by some nerds, and they have nice modern layout and hand drawn artwork on their site meaning they are probably some silly hipster designers and not Real Developers™. You might ask, why should you choose to trust Keybase to be the authoritative public key directory. What do you do? You go to Keybase and type in “terminally” in the search box: Let’s say you want to confidentially tell that dude who writes Terminally Incoherent that he is so wrong he should immediately kill himself (or as we know it in our industry “the standard tech community greeting” – this is usually how developers say hello to each other), but you do not have his public key… Nor do you know his stupid name, or his stupid email – you only know his stupid URL where he posts all the wrong things, actively giving you cancer, and ruining your community. So a lot of people hate on Keybase just for attempting to make it a bit less painful and, dare I say it, fun. For decades the mantra of security community has been: good Crypto is hard to develop and therefore it should be hard to use. I know, I know – it sounds like sacrilege. Keybase aims to bring modern UX to the land of cryptography. That direction being: making public crypto more accessible, and less of a pain in the ass to use. It’s not perfect, but I really think it is a step in the right direction. It was mostly praise, because I really like the service. If you follow me on Twitter you have probably seen me tweetign up a storm about it in the past few weeks. Wouldn’t it be awesome, if there was a modern web service or database, where you could sign up, register your public key, and have it tied to your online identities that are actually relevant: like your twitter, github and your personal blog for example? Well, someone just made exactly that and named it keybase.io. And if you have to ask someone about the key, they might as well just send it to you right there and then, making key servers completely superfluous and unnecessary. There is really no easy way to verify validity of a public key found on a key-server, other than asking the alleged owner directly. Emails is slowly fading away as a unique identifier anyway. The only identifying information that is attached to a public key is a name and an email – the two things everyone knows about you already, and only one of these is semi-unique. Secondly, anyone can publish a public key. Firstly, they are polluted with thousands of defunct keys that may never be revoked, because they were generated by teenagers going though their 1337 h4x0r stage, and then promptly forgotten few years later. Key servers, as useful as they might be, are not an authoritative. I know that there are probably five or six different public keys floating out there with my name attached to them – and I have managed to lose or get locked out of each and every one of them. In practice however, private keys get lost, or worse – you forget their pass phrases, leaving you no means to generate the revocation certs. In theory, if you generate a new key pair, you can revoke the old key and push that information to the key servers. Were any of these keys still valid? Were the emails they were keyed to still in service? There was no way for me to know any of it. I recently looked at my key-chain and realized that it contained about a dozen public keys that I have not used or even thought about in years. It’s just annoying because the tools we have aren’t all that great, the integration with mail clients has been shitty for years and actually keeping track of your keys is a pain in the ass. There is also nothing inherently difficult about managing them. There is nothing inherently hard about generating private and public key pairs. Or rather, whenever it is used, it is abstracted away, and hidden behind layers of misdirection. The problem is, no one is actually using it. It is a mature technology an an industry standard.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |