[Cryptography] Any opinions on keybase.io?

Paul Hoffman paul.hoffman at vpnc.org
Wed Dec 17 10:53:49 EST 2014


> On Dec 16, 2014, at 5:15 PM, Tony Arcieri <bascule at gmail.com> wrote:
> 
> On Tue, Dec 16, 2014 at 8:19 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Dec 15, 2014, at 5:37 PM, Tony Arcieri <bascule at gmail.com> wrote:
> > However, they're trying to raise the usability bar, but the first thing you have to do is install Node.js and run a bunch of crap from the command line.
> 
> Not at all. You can use their web UI without doing anything from the command line. This brings in some completely terrible features involving your private key, but no one has proposed any other way of doing what they do in a browser context with less terrible things.
> 
> Please see the work Google E2E is doing:
> 
> https://github.com/google/end-to-end
> 
> Google is collaborating with Yahoo to ensure their implementations are compatible:
> 
> http://www.infoworld.com/article/2860435/security/googles-work-on-full-encryption-chugs-along-with-yahoos-help.html

Yep, and AFAICT, it is equally terrible to keybase.io. (More or less depending on whether you trust Google and Yahoo...)

> Google proposed a CT-like transparency protocol which would help users identify if their directory misadvertized their keys:

That doesn't help Johnny encrypt his personal communications. It's good stuff, but orthogonal to this thread.

> Making users responsible for their own key management is a great security practice, and key management forms a huge part of my day job, but asking Johnny to manage his own keys doesn't help Johnny encrypt.

Exactly.

--Paul Hoffman


More information about the cryptography mailing list