[kwlug-disc] Key signing, anyone?

Hubert Chathi hubert at uhoreg.ca
Fri Nov 28 12:50:55 EST 2014


On Thu, 27 Nov 2014 16:27:06 -0500, Jeff Smith <crankyoldbugger at gmail.com> said:

> There's a new vid on Hak5 about keybase.io, which some people here are
> using.  It may be an alternative to key signing parties?  See:
> http://youtu.be/RRZiERo172k

Security-wise, I don't see much of an advantage of keybase.io over the
PGP Global Directory [1], which is one step up from the normal
keyservers in that it tries to do some sort of verification by sending
an encrypted email to you.  But of course, you could do that
verification by yourself.  And of course using either keybase.io or
keyserver.pgp.com requires that you trust those companies (and given
that pgp.com is already known to have made concessions to the NSA, its
trust is questionable).

[1] https://keyserver.pgp.com/vkd/GetWelcomeScreen.event

I'm not sure if linking/claiming social media accounts does anything for
security.  I suppose it would require that an attacker hack multiple
sources, but I think that would be approximately equivalent to putting
your key id in your email sig, and having your key id archived in
multiple email list archives.  Although not many people use email lists
any more...

So basically, IMHO, keybase.io might be sufficient for "talking to
family members"-level security, or "low-risk business" (it's certainly
better than having no encryption at all), I wouldn't put too much trust
in it.





More information about the kwlug-disc mailing list