Am Freitag, den 04.04.2014, 14:50 +0100 schrieb Jonathan Dowland: > keybase.io is a thing. This thing lets you, amongst other things, upload a > copy > of your PGP private key to their servers. This is client-side encrypted. > > Discuss.
Well, this "thing" raises several red flags just by reading "upload ... private key". This alone smells very wrong, because I'm the opinion a private key must never leave my (trusted) system) Reading a little about it, e.g the issue tracker, they *require* the passphrase when you upload the key [1]. With that it is completly out of your control, and if it is client-side-encrypted, for what they need the passphrase in the first place? This makes only sense if they need to access the private key sometime, and then the client-side encryption is snake oil (and you never now if your should be better be recoveked) Also, some reading suggestion: https://github.com/keybase/keybase-issues/issues/489 Disclaimer: Just reading informations, did not try out smth to confirm the info) [1] https://github.com/keybase/keybase-issues/issues/489 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
