[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: keybase.io

Luca Filipozzi dijo [Fri, Apr 04, 2014 at 02:02:09PM +0000]:
> FWIU, the client-side encryption is javascript provided by the service so
> modifiable by the service at will and able to capture/transmit passphrase.
> DDs interested in this experimenting with this service are encouraged to NOT
> upload the PGP private key that is registered in the Debian Keyring.
> If you sign up for the beta and receive an invitation, please consider
> generating a new, independent PGP keypair for use with this service.

Right, I strongly agree with Luca here. To be clear, if I spot any key
that's both in any of the Debian keyrings and in keybase.io, I will
proceed as if the key had been lost or compromised and immediately
remove it from our keyring.

Not that I will be checking for it (for now, at least). Not that I
have even talked about it within the team. But I strongly think it's
one of the duties of us as keyring maintainers. (Cc:ing for a reality
check ;-) )

Attachment: signature.asc
Description: Digital signature

Reply to: