On Fri, Apr 04, 2014 at 08:15:10PM -0400, Paul Tagliamonte wrote: > On Sat, Apr 05, 2014 at 12:57:50AM +0100, Jonathan McDowell wrote: > > 2 separate points to make here (as well as the general point Russ and > > Paul have followed up with about what do we trust in general running on > > the same machine as your GPG key). > > Sorry, I wrote that from my phone. My point was this attack vector > (nonfree code running on the same machine as your OpenPGP key) taken to > it's absolute extreme (wine, dropboxd) is still *not* grounds for > automated removal from the keyring.
I'm not disagreeing with that; I was agreeing that if you're going to argue about one piece of non-free code then where do you draw the line. What about my network interface firmware? My hard drive firmware? My BIOS? With my keyring-maint hat on I back Gunnar and Luca's statements that people should not be uploading the private part of their keys used for Debian work to the keybase website, and if I am made aware of any private keys in the Debian keyring that are on the site I will treat them as potentially compromised. I am not saying you shouldn't try the keybase website on the same machine as the key lives on, or examine the keybase CLI client, or run the GPG commands manually. At present I have no firm opinion about these actions. > Furthermore, the way *I* set up Keybase was to run the GnuPG commands > they requested (clearsigning and decrypting), since they looked safe and > sane (and paste the results back in a form. I had not noticed that was an option. I've also examined these commands, decided they looked sane and pasted the output back into the form. > > Firstly, there are 2 parts to the client side code from keybase.io, as > > far as I'm aware[0]. The first is they have an in browser implementation > > which requires your GPG private key to be stored on their server, but > > has it passphrase encrypted and all of the actual use of the key is > > through client side browser Javascript. The second is they have a > > node.js based CLI tool which runs on your personal machine and uses a > > key stored locally. This actually calls out to GPG to do the crypto. > > Thirdly, you can run raw (sane and short) GnuPG commands by hand in the > terminal, pasting results back. I hadn't noticed this was an option; thank you for making me aware of it. > > The former I think is a bad idea (because it definitely involves > > giving keybase the private part of the key). The latter on the face > > of it sounds acceptable (as long as there's no part of the code that > > is directly manipulating the key or potentially sending it off > > machine) and doesn't seem to have any greater issue than anything > > else that might use a GPG installation. > > > > With regards to my particularly situation I have not used the > > keybase website from any machine that also has my private GPG > > available to it. > > I have, and I seriously doubt my key has been taken. I agree, I don't think the code is going to maliciously try and steal my key, it just happens that the machines I run browsers on don't have access to my key by default. J. -- Web [ And you can't help my life. But you can hide the knives. ] site: http:// [ ] Made by www.earth.li/~noodles/ [ ] HuggieTag 0.0.24
signature.asc
Description: Digital signature
