[Cryptography] Any opinions on keybase.io?

[Tony Arcieri]

On Tue, Dec 16, 2014 at 8:19 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>
> On Dec 15, 2014, at 5:37 PM, Tony Arcieri <bascule at gmail.com> wrote:
> > However, they're trying to raise the usability bar, but the first thing
> you have to do is install Node.js and run a bunch of crap from the command
> line.
>
> Not at all. You can use their web UI without doing anything from the
> command line. This brings in some completely terrible features involving
> your private key, but no one has proposed any other way of doing what they
> do in a browser context with less terrible things.


Please see the work Google E2E is doing:

https://github.com/google/end-to-end

Google is collaborating with Yahoo to ensure their implementations are
compatible:

http://www.infoworld.com/article/2860435/security/googles-work-on-full-encryption-chugs-along-with-yahoos-help.html

Do note that that article does not give any actual solutions for people who
> do not completely trust their enterprise or service provider. A better
> description of the article is "we can and should make life much easier for
> those who trust others with their keys and identity".


Google proposed a CT-like transparency protocol which would help users
identify if their directory misadvertized their keys:

https://web.archive.org/web/20141117091459/https://code.google.com/p/end-to-end/wiki/KeyDistribution



> However, many of us tell our friends not to do that, particularly with
> high-value keys or identities.


Making users responsible for their own key management is a great security
practice, and key management forms a huge part of my day job, but asking
Johnny to manage his own keys doesn't help Johnny encrypt.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141216/f403d09a/attachment.html>