[kwlug-disc] Key signing, anyone?

Joe Wennechuk youcanreachmehere at hotmail.com
Fri Nov 28 15:45:41 EST 2014


I watched the video, they seemed to say that if you use them (keybase.io) to generate your key they have access to the private key? Did I miss something?
Sent from my ALCATEL ONE TOUCH 5020T

Hubert Chathi <hubert at uhoreg.ca> wrote:

On Thu, 27 Nov 2014 16:27:06 -0500, Jeff Smith <crankyoldbugger at gmail.com> said:

> There's a new vid on Hak5 about keybase.io, which some people here are
> using.  It may be an alternative to key signing parties?  See:
> http://youtu.be/RRZiERo172k

Security-wise, I don't see much of an advantage of keybase.io over the
PGP Global Directory [1], which is one step up from the normal
keyservers in that it tries to do some sort of verification by sending
an encrypted email to you.  But of course, you could do that
verification by yourself.  And of course using either keybase.io or
keyserver.pgp.com requires that you trust those companies (and given
that pgp.com is already known to have made concessions to the NSA, its
trust is questionable).

[1] https://keyserver.pgp.com/vkd/GetWelcomeScreen.event

I'm not sure if linking/claiming social media accounts does anything for
security.  I suppose it would require that an attacker hack multiple
sources, but I think that would be approximately equivalent to putting
your key id in your email sig, and having your key id archived in
multiple email list archives.  Although not many people use email lists
any more...

So basically, IMHO, keybase.io might be sufficient for "talking to
family members"-level security, or "low-risk business" (it's certainly
better than having no encryption at all), I wouldn't put too much trust
in it.


_______________________________________________
kwlug-disc mailing list
kwlug-disc at kwlug.org
http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org





More information about the kwlug-disc mailing list