[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: keybase.io

On Sat, Apr 05, 2014 at 12:57:50AM +0100, Jonathan McDowell wrote:
> 2 separate points to make here (as well as the general point Russ and
> Paul have followed up with about what do we trust in general running on
> the same machine as your GPG key).

Sorry, I wrote that from my phone. My point was this attack vector
(nonfree code running on the same machine as your OpenPGP key) taken to
it's absolute extreme (wine, dropboxd) is still *not* grounds for
automated removal from the keyring.

Furthermore, the way *I* set up Keybase was to run the GnuPG commands
they requested (clearsigning and decrypting), since they looked safe and
sane (and paste the results back in a form.

> Firstly, there are 2 parts to the client side code from keybase.io, as
> far as I'm aware[0]. The first is they have an in browser implementation
> which requires your GPG private key to be stored on their server, but
> has it passphrase encrypted and all of the actual use of the key is
> through client side browser Javascript. The second is they have a
> node.js based CLI tool which runs on your personal machine and uses a
> key stored locally. This actually calls out to GPG to do the crypto.

Thirdly, you can run raw (sane and short) GnuPG commands by hand in the
terminal, pasting results back.

> The
> former I think is a bad idea (because it definitely involves giving
> keybase the private part of the key). The latter on the face of it
> sounds acceptable (as long as there's no part of the code that is
> directly manipulating the key or potentially sending it off machine) and
> doesn't seem to have any greater issue than anything else that might use
> a GPG installation.
> With regards to my particularly situation I have not used the keybase
> website from any machine that also has my private GPG available to it.

I have, and I seriously doubt my key has been taken.

> This is largely a factor of the way I treat my key rather than any
> special precaution I have taken around keybase. Once I get my head
> around the horror of the keybase CLI client being npm tentacles and
> pulling in a bunch of random stuff that I'm not sure I fully trust I
> will examine that set of code to convince myself that it's not going to
> leak my key anywhere and potentially try it out.

Aye. That half is Freely licensed, I believe.


Audits welcome, I'd very much like to be able to trust it.


 .''`.  Paul Tagliamonte <paultag@debian.org>  |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
 `-     http://people.debian.org/~paultag/conduct-statement.txt

Attachment: signature.asc
Description: Digital signature

Reply to: