[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: keybase.io

[I trimmed the To down to -project because I think everyone on the CC is
 reading that; I certainly am so no need to explicitly CC me.]

On Fri, Apr 04, 2014 at 05:18:13PM -0600, Gunnar Wolf wrote:
> Jonathan McDowell dijo [Fri, Apr 04, 2014 at 10:35:41PM +0100]:
> > > > To be clear, if I spot any key
> > > > that's both in any of the Debian keyrings and in keybase.io, I will
> > > > proceed as if the key had been lost or compromised and immediately
> > > > remove it from our keyring.
> > > 
> > > No, sorry. Don't do that. My key is on keybase, but *not the private
> > > half*
> > 
> > Likewise. I have signed up to keybase.io largely to kick the tires and
> > see what I make of it. I will absolutely not be trusting any third party
> > with the private half of my key on their servers, even if it's
> > passphrase protected and the crypto carried out at the client side.
> Urgh...
> Well, please enlighten me here: Without fully auditing the Javascript
> code you are using to do the crypto client-side, can you *really* be
> certain your private half has not travelled to Keybase?

2 separate points to make here (as well as the general point Russ and
Paul have followed up with about what do we trust in general running on
the same machine as your GPG key).

Firstly, there are 2 parts to the client side code from keybase.io, as
far as I'm aware[0]. The first is they have an in browser implementation
which requires your GPG private key to be stored on their server, but
has it passphrase encrypted and all of the actual use of the key is
through client side browser Javascript. The second is they have a
node.js based CLI tool which runs on your personal machine and uses a
key stored locally. This actually calls out to GPG to do the crypto. The
former I think is a bad idea (because it definitely involves giving
keybase the private part of the key). The latter on the face of it
sounds acceptable (as long as there's no part of the code that is
directly manipulating the key or potentially sending it off machine) and
doesn't seem to have any greater issue than anything else that might use
a GPG installation.

With regards to my particularly situation I have not used the keybase
website from any machine that also has my private GPG available to it.
This is largely a factor of the way I treat my key rather than any
special precaution I have taken around keybase. Once I get my head
around the horror of the keybase CLI client being npm tentacles and
pulling in a bunch of random stuff that I'm not sure I fully trust I
will examine that set of code to convince myself that it's not going to
leak my key anywhere and potentially try it out.


[0] I may be wrong about these and welcome corrections; I have not yet
    delved into the details of the service and its implementation.

   Evil will always triumph over   |  .''`.  Debian GNU/Linux Developer
    Good, because Good is dumb.    | : :' :  Happy to accept PGP signed
                                   | `. `'   or encrypted mail - RSA
                                   |   `-    key on the keyservers.

Attachment: signature.asc
Description: Digital signature

Reply to: