[Cryptography] Any opinions on keybase.io?

Tony Arcieri bascule at gmail.com
Tue Dec 16 20:15:16 EST 2014

On Tue, Dec 16, 2014 at 8:19 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Dec 15, 2014, at 5:37 PM, Tony Arcieri <bascule at gmail.com> wrote:
> > However, they're trying to raise the usability bar, but the first thing
> you have to do is install Node.js and run a bunch of crap from the command
> line.
> Not at all. You can use their web UI without doing anything from the
> command line. This brings in some completely terrible features involving
> your private key, but no one has proposed any other way of doing what they
> do in a browser context with less terrible things.

Please see the work Google E2E is doing:


Google is collaborating with Yahoo to ensure their implementations are


Do note that that article does not give any actual solutions for people who
> do not completely trust their enterprise or service provider. A better
> description of the article is "we can and should make life much easier for
> those who trust others with their keys and identity".

Google proposed a CT-like transparency protocol which would help users
identify if their directory misadvertized their keys:


> However, many of us tell our friends not to do that, particularly with
> high-value keys or identities.

Making users responsible for their own key management is a great security
practice, and key management forms a huge part of my day job, but asking
Johnny to manage his own keys doesn't help Johnny encrypt.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141216/f403d09a/attachment.html>

More information about the cryptography mailing list