Jonathan Dowland dijo [Fri, Apr 04, 2014 at 02:50:01PM +0100]: > keybase.io is a thing. This thing lets you, amongst other things, upload a copy > of your PGP private key to their servers. This is client-side encrypted. > > Discuss. As this thread was started at debian-private, I sent some of my replies there. But given Jonathan has moved this (thanks!) to a public list, I'll just copy my mail answering to him (along with his quoted text): Jonathan Dowland dijo [Thu, Apr 03, 2014 at 05:23:31PM +0100]: > Sure! I'll try. Thanks a lot for your lengthy and interesting explanation! > I think, what they are trying to do, is widen the base of people using PGP by > providing tools to do so in browsers. I.e. lowering the barrier of > entry. Right. This very first point is what makes me curious. I have been interested in finding user-friendly tools to manage encryption (and its different properties). Sadly, as the tools get better, I get further away from understanding what does a "regular" user want as a user experience. So my input on the field is less and less relevant ;-) > (...) > You can also associate yourself with twitter, github and > your own personal website. For each method, you use the keybase client to > generate some kind of challenge that proves you hold the PGP key that is > associated with your keybase.io account, and post that challenge on the site: > (...) > Within keybase, you can 'track' people, which is a bit like following in a > social network, but establishes a cryptographic relationship. I've followed a > few folks so far. Right. So I'll now exhibit my ignorance on current day social habits. I understand people following each other on message-posting services, such as Twitter — If you are interested in what I say, you follow me. Or some models (FB) require relations to be bidirectional. But what is "following" in the context of jmtd.net? (I even struggle to understand social media on Github... I am interested in projects, not in people!) Being me a non-social-networkee, how would I interact with keybase, without caring for the people I supposedly "follow"? Or, OTOH, I understand this idenitifed your Twitter personna. Now, do you encrypt your tweets? Sign them? How much longer are your Twitter messages when you append a GPG-like signature to them? > There's a keybase command-line client with which you can perform all of the > above operations. There is also a bunch of stuff in their website, which I > can't really use because I haven't uploaded my private key. (When I have time I > will generate a new test key and upload that, replacing my real one - and > breaking the auth of the twitter,github etc.) Right. What I like so far about this client is that it is *way* more natural (again, for users) than gnupg. And, of course, I expect different GUIs to follow. That can be interesting. Now, maybe this tool could be augmented with intelligence on how to relay a message in the best route possible. I mean, I see you can "keybase encrypt jmtd -m 'a secret msg'". What does this give you? A message ready to cut+paste in your favorite form? Or does it get sent via the best possible route to jmtd? Say, maybe I can only establish a trusted path to your account via Twitter, then 'a secret msg' gets posted as three public jibberishy messages on Twitter (and only jmtd can decrypt them). Or does this tool just give you a gpg-signed text to cut+paste to your mail? > The keybase web client supports signing, verifying, encrypting and decrypting > messages to each other, via your PGP key. The process is done client side, and > the key is crypted client side (aat least they say so. I haven't investigated > properly), but the encrypted privkey is stored server side. Right. It is all done client side, but... Why does it have to store your private key server-side?
Description: Digital signature