Dnia sobota, 17 stycznia 2015 11:22:02 Mirimir pisze: > On 01/17/2015 03:52 AM, rysiek wrote: > > So, > > > > Mirmir wrote: > >> | 13. Targeted attacks against PGP key ids are possible > >> > >> This is an advantage of Keybase. Then we're not depending on the KeyID, > >> or even on the fingerprint, but rather on an identity that's multiply > >> and independently authenticated. > > > > I keep hearing more and more about keybase, and I have a problem with it. > > It's a centralised service, owned and controlled by a single entity; > > moreover, the keys are tied to online identities controlled by corporate > > third parties (Twitter, Facebook, et al). I don't see a Diaspora/The > > Federation support, for instance. > > As I understand it, Keybase is an API. The website/service is merely a > demonstration. The developers are aiming for mass adoption, and so > they've targeted the most popular sites. With some coding, arbitrary > sites could be used, with two requirements. First, it must be possible > for users to post persistent signed proofs. Second, it must be possible > for the API to access those signed proofs, in order to verify them. > > > My problem with this is two-fold: > > > > 1. It might allow abuse, esp. MITM attacks. If Keybase becomes a /de > > facto/ > > standard of acquiring keys, it seems trivial to me for them to replace a > > valued target's key with something a LEA would provide. > > That's the value of trackers. Those tracking such a comprised target > would see that various public signed proofs are no longer valid for the > target's key on Keybase. The adversary could alter all of the target's > public signed proofs. But even that wouldn't suffice, because trackers > have independent snapshot histories of public proofs. And furthermore, > snapshot histories are embedded in the Bitcoin blockchain.
Wait, how/where does Bitcoin come into this? Did I miss it somehow? I admit I didn't dive into keybase increadibly deep, but still... > > 2. It still promotes the closed, walled-gardens. Diaspora or GNU Social > > support would not be that hard to implement. > > Signed proofs could be placed anywhere that's accessible to the API. But > that takes coding, and developers have priorities. One can request. Right. > Anyway, I've created a test identity: https://keybase.io/Proba. Once > I've added enough proofs, and have enough trackers, I plan to mess with > it by replacing the public key held by Keybase, altering some of the > proofs, and so on. Then we can see how that shows up for its trackers, > and for other users. I'll also explore impacts of malicious trackers. Oh, great, I really appreciate that effort. Please keep me posted! -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
signature.asc
Description: This is a digitally signed message part.
