GitHub took a good, hard tool, git, and created a new way for its users to communicate: Pull Requests, GitHub.com repos.
Keybase is taking a good, hard tool, pgp, and creating a new way for its users to communicate: usernames, social account proofs and Keybase.io hosted pubkeys instead of keyparties and keyservers.
Keybase seems to rely on existing systems for trust anchoring (Twitter, Github...) as well as using existing cryptosystems for doing the heaving lifting (OpenPGP). If Github didn't reinvent the wheel because it's all Git, how did keybase.io reinvent the wheel by being all OpenPGP?
Except that a lot of people's first experience with Git was through Github. I would say that Git might not have been as popular without Github rather than the other way around.
Do for crypto what GitHub did for git? You mean take something that's already well-distributed and introduce a central SPOF for many people's workflows? Sure, they can do that.
And by making it more accessible bring it to a number of users that before simply went (without VCS or sharing|unencrypted)? Sure, I hope they do that.
I'm not sure I follow where THEY introduced the SPOF. Having a central repo is convenient for many people's workflow so there would probably be a SPOF (In that sense) for the people using github anyway. The difference becomes would you have a team dedicated to maintaining your git repos if you didn't use github?
Is your qualm with the fact that many people share the same SPOF?
Sure Github has their outages from time to time, but it doesn't prevent me from sharing code. Git is still distributed. It might be inconvenient when it is down, but its not a full-out failure of the system.
Escalator temporarily stairs. Sorry for the convenience.
(from their front page) and Keybase.io (or my connection) happens to be compromised, won't it be possible for compromised-Keybase to send me the wrong public key for username "maria", thus allowing others to read my message?
I guess the same could be said about someone posting their GPG key on an unencrypted mail or usenet post, though, so maybe the problem is mostly hypothetical.
As you say in your post, PKSs already associate your public key with your email address as a unique identifier. But there are two points here:
1. Limiting identifiers to email addresses isn't that great a solution. Email is less popular amongst my generation (~20 y/o). It's the service backing almost every identity now, but I already have way too many email addresses which I have to check. What if I want to set up an anon identity?
2. Why, as a person on the street, would I trust pgp.mit.edu more than I trust Keybase THEN (Twitter AND a personal webpage AND whatever other services end up being supported) - it does ultimately depend on how much you trust Keybase, but not obviously so.
Looking back on it in a year or two, Keybase may end up a classic example of "worse is better", because it's easier to grasp, as you said in your post.
I'm mostly interested in the implications of not using PGP's annotations and rolling their own instead. Still looking for a technical explanation from them about it though, as this will likely be the key point for many tech-savvy when deciding to whether use it or not (I assume).
Storing private keys in a place that you do not control is ridiculous. You are putting your trust in a service, thus making your own keys untrustworthy to yourself.
Put your public keys wherever you want. They are public. The SKS keyservers work well for this already, however.
The idea of getting crypto to the masses is laudable, but this is reinventing existing infrastructure and introducing new dangers to the system at the same time.
Please DO NOT USE keybase.io ... at least until the source is opened and we can see what they are doing.
How would opening the source help? If you're worried about their server you can't be sure of what they're running. The private key you send them, in their defense, is encrypted, and the CLI is open source.
I don't get this just like I don't get the bitcoin "hubs" or "wallets" or whatever they are.
Your crypto keys, like your bitcoins, are just small text files. They are nothing special at all and can be completely managed, and secured, on your own local systems.
There is nothing but fragility and loss down this road and people that really need security in their comms will not expose themselves to that fragility (just like smart folks probably weren't putting their bitcoins in third party "wallets").
Maybe. But just consider that GitHub popularized git among professional developers. I don't think it's the audience this initiative has to reach. Though it will certainly make crypto more accessible, I doubt that doing the analogous thing to github will give keybase the userbase that would most benefit from their services (less tech savvy people).
Why not? I haven't checked the license that Keybase publishes things under but even if it wasn't an approved open source license, how would that impact the security so long as everything was published?
The problem is that my mom does not need to use git or github or even know what they are. I would not mind it if my mom encrypted her emails though, or at least knew how. Offhand, keybase.io looks nice but still a far ways away from a "mom friendly" system.
I'm a coder yet I don't understand much about encryption and certificates and signing. Keybase makes it more accessible to me. If you assume that there's many people like me (I bet there are: non-security obsessed coders, geeks, whatnot), then the existence of Keybase makes these concepts accessible to a larger crowd than before. That's a win.
I am working for Virtru, a startup building the "mom friendly" way to send encrypted email directly from your existing Gmail account (and others!). My Mom does not understand encryption at all, but has no problem using Virtru to communicate securely with some of her business co-workers.
Basically, it works like this (for example, with browser extension client):
1) the client generates a symmetric AES-256 key and uses that to encrypt the email locally
2) Gmail traffics the email to recipients normally, except the body of the email is now encrypted before it even leaves the client (the body also includes the unique id of the key, unencrypted)
3) the key is sent to a third party key store (Virtru) which controls access to the key based on identity (OAuth/OpenID)
It could be interesting to do some type of mash-up with Virtru and Keybase.io so that Virtru could automatically pull recipients' public keys and use a PGP type flow as opposed to the default of a symmetric key.
Happy to answer questions if anyone gives Virtru a try.
What we really need is an intermediary. The people who develop crypto primitives are currently too far removed from the people who develop consumer apps (obviously excepting guys like 'moxie), and (rightly or wrongly) the majority of consumer app developers don't know how or don't care about bridging the gap. A central key repository with de-centralized identity proofing like keybase would be an interesting idea if it had a good developer API (which I assume is in the works) and if good cross-platform PGP libraries existed (a bit trickier... GPG is not iOS-friendly and any lib which ignores that market is not serious about being accessible to consumers).
So, in other words, keybase could be a valuable and important step toward a "mom friendly" system, but it's a bit early to say.
I think the target userbase for Keybase is nerds who found GPG too horribly unintuitive to figure out how to use it for themselves. I know I was like that for a while.
The other target userbase is people who want to verify GPG keys that don't have a web of trust. This is useful for, say, me - I'm not part of the Debian dev team or anything, so I don't have many people around who can sign my GPG key. It's nice to be able to publish a link to Keybase on my website and have people be able to be pretty sure it's me.
Isn't that the point though? Trust is decentralized over multiple accounts that you already control. Keybase just provides an easy way to access that decentralized trust.
Github is widely used and adopted by programmers. Did it help more devs start to use git? Probably. I honestly don't know. Will keybase.io help more devs start using crypto? Maybe. We won't know for a while.
After reading the site my impression is this just a (somewhat) fancier PGP key server. They're tackling the issue of making PGP easier for people, which I commend. Time will tell if it gets traction.
[+] [-] RyanZAG|12 years ago|reply
Keybase.io is very much rolling their own system. I think that answers the question.
[+] [-] masklinn|12 years ago|reply
It's a store (much like github) for standard PGP/GPG keys. And it provides a convenient CLI for basic tasks.
As far as I can see, it does no more rolling of its own system than Github.
[+] [-] suhair|12 years ago|reply
[+] [-] FiloSottile|12 years ago|reply
Keybase is taking a good, hard tool, pgp, and creating a new way for its users to communicate: usernames, social account proofs and Keybase.io hosted pubkeys instead of keyparties and keyservers.
[+] [-] lvh|12 years ago|reply
[+] [-] rickr|12 years ago|reply
To me that makes it seem even more so like keybase. The core of the product is there but it's environment it was makes it special.
[+] [-] giulianob|12 years ago|reply
[+] [-] orblivion|12 years ago|reply
[+] [-] kbar13|12 years ago|reply
[+] [-] bashcoder|12 years ago|reply
[+] [-] notacoward|12 years ago|reply
[+] [-] FiloSottile|12 years ago|reply
[+] [-] dasil003|12 years ago|reply
edit: and you think your previous account got hellbanned because of "disagreement with the herd". Open your eyes and take a look at yourself.
[+] [-] Tobani|12 years ago|reply
Is your qualm with the fact that many people share the same SPOF?
Sure Github has their outages from time to time, but it doesn't prevent me from sharing code. Git is still distributed. It might be inconvenient when it is down, but its not a full-out failure of the system.
Escalator temporarily stairs. Sorry for the convenience.
[+] [-] skrebbel|12 years ago|reply
I guess the same could be said about someone posting their GPG key on an unencrypted mail or usenet post, though, so maybe the problem is mostly hypothetical.
[+] [-] irickt|12 years ago|reply
https://github.com/substack/cipherhub
[+] [-] matthewsinclair|12 years ago|reply
[+] [-] jeffbr13|12 years ago|reply
1. Limiting identifiers to email addresses isn't that great a solution. Email is less popular amongst my generation (~20 y/o). It's the service backing almost every identity now, but I already have way too many email addresses which I have to check. What if I want to set up an anon identity? 2. Why, as a person on the street, would I trust pgp.mit.edu more than I trust Keybase THEN (Twitter AND a personal webpage AND whatever other services end up being supported) - it does ultimately depend on how much you trust Keybase, but not obviously so.
Looking back on it in a year or two, Keybase may end up a classic example of "worse is better", because it's easier to grasp, as you said in your post.
[+] [-] caio1982|12 years ago|reply
[+] [-] huslage|12 years ago|reply
Put your public keys wherever you want. They are public. The SKS keyservers work well for this already, however.
The idea of getting crypto to the masses is laudable, but this is reinventing existing infrastructure and introducing new dangers to the system at the same time.
Please DO NOT USE keybase.io ... at least until the source is opened and we can see what they are doing.
[+] [-] corford|12 years ago|reply
[+] [-] orblivion|12 years ago|reply
[+] [-] kitd|12 years ago|reply
First line of the home page:
Keybase will be a public directory of publicly auditable public keys.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] rsync|12 years ago|reply
Your crypto keys, like your bitcoins, are just small text files. They are nothing special at all and can be completely managed, and secured, on your own local systems.
There is nothing but fragility and loss down this road and people that really need security in their comms will not expose themselves to that fragility (just like smart folks probably weren't putting their bitcoins in third party "wallets").
[+] [-] dewey|12 years ago|reply
Edit1: All gone
Edit2: Coinbase just sent me some more, I sent invites to everyone who mailed me. I got 1 left now.
Edit3: They are all gone now. Thanks for playing!
[+] [-] bitcrusher|12 years ago|reply
[+] [-] dewey|12 years ago|reply
[+] [-] aaren|12 years ago|reply
[+] [-] stonogo|12 years ago|reply
[+] [-] rk17|12 years ago|reply
[+] [-] davexunit|12 years ago|reply
[+] [-] orblivion|12 years ago|reply
[+] [-] oijaf888|12 years ago|reply
[+] [-] davidw|12 years ago|reply
[+] [-] skrebbel|12 years ago|reply
I'm a coder yet I don't understand much about encryption and certificates and signing. Keybase makes it more accessible to me. If you assume that there's many people like me (I bet there are: non-security obsessed coders, geeks, whatnot), then the existence of Keybase makes these concepts accessible to a larger crowd than before. That's a win.
[+] [-] conorgil145|12 years ago|reply
Basically, it works like this (for example, with browser extension client):
1) the client generates a symmetric AES-256 key and uses that to encrypt the email locally
2) Gmail traffics the email to recipients normally, except the body of the email is now encrypted before it even leaves the client (the body also includes the unique id of the key, unencrypted)
3) the key is sent to a third party key store (Virtru) which controls access to the key based on identity (OAuth/OpenID)
https://www.virtru.com/what-is-virtru
It could be interesting to do some type of mash-up with Virtru and Keybase.io so that Virtru could automatically pull recipients' public keys and use a PGP type flow as opposed to the default of a symmetric key.
Happy to answer questions if anyone gives Virtru a try.
[+] [-] napoleond|12 years ago|reply
So, in other words, keybase could be a valuable and important step toward a "mom friendly" system, but it's a bit early to say.
[+] [-] ndeine|12 years ago|reply
The other target userbase is people who want to verify GPG keys that don't have a web of trust. This is useful for, say, me - I'm not part of the Debian dev team or anything, so I don't have many people around who can sign my GPG key. It's nice to be able to publish a link to Keybase on my website and have people be able to be pretty sure it's me.
[+] [-] oznathan|12 years ago|reply
Also, I don't like the choice of a centralized solution for privacy problem. It could have been decentralized.
[+] [-] edraferi|12 years ago|reply
[+] [-] joshdance|12 years ago|reply
[+] [-] brianbarker|12 years ago|reply
[+] [-] vgrichina|12 years ago|reply
[+] [-] JulianMorrison|12 years ago|reply
[+] [-] atonse|12 years ago|reply
It's just like saying, I don't want to list my phone number in this phone book. Doesn't make your phone number any less valid.
[+] [-] oijaf888|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] blahbl4hblahtoo|12 years ago|reply
[deleted]