[Cryptography] Any opinions on keybase.io?

Guido Witmond guido at witmond.nl
Wed Dec 17 18:24:49 EST 2014 

On 12/17/14 19:15, Judson Lester wrote:
> 
> On Wed Dec 17 2014 at 7:50:29 AM Paul Hoffman <paul.hoffman at vpnc.org
> <mailto:paul.hoffman at vpnc.org>> wrote:
> 
>     You say that as if you have proposed a design that allows people
>     with only web browsers, not control of their command line, to
>     securely share their identities. I don't see that in your linked
>     article. Or are you saying that participation in this type of
>     identity federation should only be allowed to those of us with those
>     capabilities, or people who are willing to run some "trusted" binary
>     executable for our platform?
> 
> 
>  Everyone deserves trustworthy communications online.
> 
> I don't have a design that makes that possible for everyone. I don't
> know a design that does. Keybase isn't it. My deepest objection to
> Keybase is that it promises that and manifestly fails to deliver.
> 
> (I was working with the keybase group on a decentralized standard - the
> popularity of Keybase with technical folks discouraged me. But, yeah,
> it'd be command line stuff, most likely.)
> 
> One significant wrinkle is right there in your challenge: "willing to
> run a trusted binary" and "only web browsers." 


"Only web browsers" is impossible, as these lack a good way to manage
identities. But with a trusted (binary) user agent that follows a well
known protocol, it can offer private key management for the user.

> But more significantly, I don't know *how* to design a system that can
> protect participants without putting a significant responsibility on
> them - to understand the protocols, to review the programs they're
> using, to do *something* more than tick the 'secure' box. 

The key is to never ask the user to override a security decision. The
agent can either confirm that the cryptography is correct and let the
connection go through or it block with an error.

I've designed a protocol that lets people manage their identities
easily. I call it Eccentric Authentication [1].


> And that's by no means a condemnation of computer users everywhere. It's
> the voice of despair, because I think we deserve security, and to be
> able to do something other than maintain our security all the time.

Indeed, security should be at the bottom layers, being there for the
user at all times. The site admins have to set up some stuff in advance
but that's it.

Regards, Guido Witmond.

[1]: http://eccentric-authentication.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141218/38505d55/attachment.sig>

More information about the cryptography mailing list