[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: keybase.io



Am Freitag, den 04.04.2014, 14:50 +0100 schrieb Jonathan Dowland:
> keybase.io is a thing. This thing lets you, amongst other things, upload a copy
> of your PGP private key to their servers. This is client-side encrypted.
> 
> Discuss.

Well, this "thing" raises several red flags just by reading "upload ...
private key". This alone smells very wrong, because I'm the opinion a
private key must never leave my (trusted) system) 

Reading a little about it, e.g the issue tracker, they *require* the
passphrase when you upload the key [1]. With that it is completly out of
your control, and if it is client-side-encrypted, for what they need the
passphrase in the first place? This makes only sense if they need to
access the private key sometime, and then the client-side encryption is
snake oil (and you never now if your should be better be recoveked)
 
Also, some reading suggestion:
https://github.com/keybase/keybase-issues/issues/489

Disclaimer: Just reading informations, did not try out smth to confirm
the info) 

[1] https://github.com/keybase/keybase-issues/issues/489


Reply to: