[clug] Invites to keybase

Scott Ferguson scott.ferguson.clug at gmail.com
Mon Aug 8 07:50:44 UTC 2016



On 05/08/16 23:18, Ambrose Andrews wrote:
> On 05/08/16 21:51, Scott Ferguson wrote:
>> I also have some unused invites if anyone wants. You will need to be
>> able to (loosely) verify your identity - with a website you own/control,
>> or a social account e.g. twitter.
>>
>> If you need more information about keybase.io, there's plenty of
>> documentation on the site. It is not recommended to use for high
>> security encryption (your private key is under their control), but it's
>> useful for a large number of other uses.
>>
> 
> You can set it up so your private key isn't under their control.

Thanks for the tip!
Though I'd investigated triplesec (I trust it to the same degree I trust
the general use GPG key I use for keybase) I hadn't noticed that I could
avoid pushing my private key to keybase.


> 
> I have my public key up on the page and use local software to do any
> decryption / signing.
> 
> Others can still use the javascript interface to encrypt to or verify
> from me without any compromise required on my part.


I don't "believe" the risk is too great, though I *disagree* with
https://blog.filippo.io/on-keybase-dot-io-and-encrypted-private-key-sharing/
that it's the same (reversing triplesec) as reverse engineering my
private key (not even close, by many factors).

Ideally people should assign a low security rating to their keybase
registered key pair - whether they've pushed their private key up to
keybase or not. IMO good security requires compartmentalisation (there
is no one-size-secures-all-solution) - if high security (long term) is
required then a special keypair should be generated for that use. i.e.
if someone uses my public public key to contact me and wants to secure
communication that I rate as "highly secret for the long term" I'll
negotiate the use of a new set of keys - preferably on a non-general use
computer.

My only requirements for encryption are:- to ensure intergrity;
short-term secrecy of proprietary business information. Others may have
different use cases.


I still have plenty of keybase invites left if anyone else wants one.

> 
>   -AA.
> 
> 
> 

Kind regards

-- 
    A: Because we read from top to bottom, left to right.
    Q: Why should I start my reply below the quoted text?

    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?

    A: The lost context.
    Q: What makes top-posted replies harder to read than bottom-posted?

    A: Yes.
    Q: Should I trim down the quoted part of an email to which I'm reply

http://www.idallen.com/topposting.html



More information about the linux mailing list