[Cryptography] keybase.io

ianG iang at iang.org
Sat Jan 3 11:33:12 EST 2015

On 2/01/2015 17:30 pm, Randy Bush wrote:
> i am trying to understand keybase.io (yes, clearly i have too much free
> time on my hands)
> my tentative conclusion, it leverages my pgp credential to attest to
> other identities, e.g. domain control, bitcoin, ...


> but do you care if i control a domain or a bitcoin account?  i could pgp
> sign a message attesting "my bitcoin id is ..."
> what is more amusing is that the three things for which i publish
> pgp signed attestation (see https://psg.com) are not covered
>    o my OTR keys for xmpp
>    o my root x.509 CA cert
>    o the ssh fingerprints of critical hosts
> a friend said
>> having a way to authenticate together the online identities of folks
>> could be useful.
> to the nsa, yes.

Yes.  SO one essential feature should be the ability to form these 
relationships without broadcasting the info.  But, due to success of 
open ledger in blockchain, etc, and past successes from social networks, 
the idea of publishing everything is very much in vogue right now.

> but how is it useful to the users?  e.g. i do not see
> a way to leverage it to solve the "first date problem," key exchange
> with a new remote friend.

The presumption is that knowing someone's identity allows you to trust 
them.  This is famously leveraged to promote a little thing called SSL 
and certificates, which "knowing" leads to trust in online commerce 
leads to wealth & riches for some.

The world at Bitcoin large is also trying to figure out this little 
thing called online commerce.  In general, the presumption "knowing is 
trust" is also being bandied about there.

There are two flaws here.  One is "knowing what?"  As you discover 
above, for the "what" to be intelligent there needs to be a unified 
system.  This is a challenge for mainstream Bitcoin as it isn't actually 
set up for the unification;  hence all sorts of add-on startyps that 
allow one piece of the puzzle to be collected in the hope that others 
will accept that one piece belongs there.

There are more and better ideas at the Bitcoin 2.0 players:  Ethereum et 
al have included these ideas inside their scope, so the hope there is 
that the tool can be seamlessly used for (eg) online commerce and other 
apps yet to be conceived.

The second great flaw is "what happens when something goes wrong?" Which 
never got answered in the past.  If you're interested, I can wax on for 
days on how to that, show you the blueprints, sell you my t-shirt, etc. 
  But, for most people at most times and for most Bitcoin startups and 
most online commerce people and most participants in the old "trust 
business", it suffices to say "it'll never happen to me, you're a loony, 
pass on please."

> clue bat, please.

I'm sorry.  Would a nerf ball suffice?


More information about the cryptography mailing list