Mailing List Archive

Werner,

On Wed, Aug 31, 2016 at 5:45 PM, Werner Koch <wk@gnupg.org> wrote:
> I am not sure, but I heard that keybase.io is moving towards a
> centralized system for encrypted message exchange.

keybase.io ulterior motive is for the end user to use their PGP/GPG
Javascript implementation but it is not mandatory (to upload your
existing Private Key) when the end user enrolls.

On Wed, Aug 31, 2016 at 5:45 PM, Werner Koch <wk@gnupg.org> wrote:
> They not even try to minimize the use of meta data but use privacy
> invading services (Facebook, Twitter, etc) to connect the key into a way
> larger network than what we have with the Web of Trust. Kind of key
> signing party for the Twitter generation.

I'm enrolled at https://keybase.io/cmlh and it is worth noting that
there is no URL listed on keybase.io for SKS or
https://pgp.mit.edu/pks/lookup?search=0xA46325100EAEE92B&op=index&fingerprint=on&exact=on
for example.

That stated, for anything I don't want disclosed I would generate
separate subkeypairs.

Also, while keybase.io support GitHub their independent integration is
https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
as opposed to https://gist.github.com/cmlh/b3f0bcd38533a2dc05b8 for
example.


--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 08/31/2016 01:45 AM, Werner Koch wrote:
> On Wed, 31 Aug 2016 04:27, mirimir@riseup.net said:
>
>> What are the defects in <https://keybase.io/>?
>
> They not even try to minimize the use of meta data but use privacy
> invading services (Facebook, Twitter, etc) to connect the key into a way
> larger network than what we have with the Web of Trust. Kind of key
> signing party for the Twitter generation.

But that's what I like about it :) Mirimir can't have an old-school Web
of Trust. Nobody that I know in meatspace knows that I use that
pseudonym. With KeyBase, Mirimir has signed proofs on Hacker News,
reddit, and GitHub. Even if someone compromised my KeyBase account, and
added a fake key, they couldn't change those published proofs, which are
signed by my true key.

I don't use Facebook or Twitter, because they're not friendly to
pseudonyms. But for those not using pseudonyms, privacy invasion through
verification of meatspace identity is a benefit, no? There's no privacy
in attending a key signing party, is there?

> I am not sure, but I heard that keybase.io is moving towards a
> centralized system for encrypted message exchange.
>
>
> Shalom-Salam,
>
> Werner
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Thu, 1 Sep 2016 02:55, mirimir@riseup.net said:

> verification of meatspace identity is a benefit, no? There's no privacy
> in attending a key signing party, is there?

I have long stopped to consider key signing parties a useful thing. The
WoT is helpful but is independent of such events. The better way of
providing assurance to always talk to the same key is TOFU.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
/* Join us at OpenPGP.conf <https://openpgp-conf.org> */

On 09/01/2016 12:02 AM, Werner Koch wrote:
> On Thu, 1 Sep 2016 02:55, mirimir@riseup.net said:
>
>> verification of meatspace identity is a benefit, no? There's no
>> privacy in attending a key signing party, is there?
>
> I have long stopped to consider key signing parties a useful thing.
> The WoT is helpful but is independent of such events. The better
> way of providing assurance to always talk to the same key is TOFU.

Ensuring that you keep talking to the same key is pretty easy. The
hard thing is knowing what key is correct for someone who's defined
only by an online presence. Where you have no WoT overlap. Comparing
public keys from multiple sources is workable, but tedious. Very cool
would be a tool to automate that, protect the keyring from corruption,
and remove any cruft. Maybe TOFU could do that?

> Shalom-Salam,
>
> Werner
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Thu, 1 Sep 2016 08:34, mirimir@riseup.net said:

> Ensuring that you keep talking to the same key is pretty easy. The
> hard thing is knowing what key is correct for someone who's defined
> only by an online presence. Where you have no WoT overlap. Comparing

You see signed message from someone and over time you build up trust.
Eventually you want to send a mail and the TOFU system will consider
that email/key valid due to the signatures gathered over time.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
/* Join us at OpenPGP.conf <https://openpgp-conf.org> */

On 09/01/2016 02:15 AM, Werner Koch wrote:
> On Thu, 1 Sep 2016 08:34, mirimir@riseup.net said:
>
>> Ensuring that you keep talking to the same key is pretty easy.
>> The hard thing is knowing what key is correct for someone who's
>> defined only by an online presence. Where you have no WoT
>> overlap. Comparing
>
> You see signed message from someone and over time you build up
> trust. Eventually you want to send a mail and the TOFU system will
> consider that email/key valid due to the signatures gathered over
> time.

I'm guessing that's from a mail list. And I'll try it. Thanks :)

> Salam-Shalom,
>
> Werner
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users