[clug] Invites to keybase

Mike Carden mike.carden at gmail.com
Mon Aug 8 08:16:30 UTC 2016 

A tad off-topic I know, but this discussion of public and private keys has
called to mind a thing that I have recently discovered about public keys.

If you have a github account and have uploaded any public keys there,
github makes them available to anyone via:

https://github.com/username.keys

You can get mine from https://github.com/mcarden.keys

Why is this useful? It's useful because if I am collaborating with someone
and want that person to be able to access a machine under my control, I can
just:

curl https://github.com/username.keys >> ~/.ssh/authorized_keys

... and that person can ssh into my machine seamlessly.

Or I can ask someone to do the same for me. The Internet, it works!

-- 
crash




On Mon, Aug 8, 2016 at 5:50 PM, Scott Ferguson <
scott.ferguson.clug at gmail.com> wrote:

>
>
> On 05/08/16 23:18, Ambrose Andrews wrote:
> > On 05/08/16 21:51, Scott Ferguson wrote:
> >> I also have some unused invites if anyone wants. You will need to be
> >> able to (loosely) verify your identity - with a website you own/control,
> >> or a social account e.g. twitter.
> >>
> >> If you need more information about keybase.io, there's plenty of
> >> documentation on the site. It is not recommended to use for high
> >> security encryption (your private key is under their control), but it's
> >> useful for a large number of other uses.
> >>
> >
> > You can set it up so your private key isn't under their control.
>
> Thanks for the tip!
> Though I'd investigated triplesec (I trust it to the same degree I trust
> the general use GPG key I use for keybase) I hadn't noticed that I could
> avoid pushing my private key to keybase.
>
>
> >
> > I have my public key up on the page and use local software to do any
> > decryption / signing.
> >
> > Others can still use the javascript interface to encrypt to or verify
> > from me without any compromise required on my part.
>
>
> I don't "believe" the risk is too great, though I *disagree* with
> https://blog.filippo.io/on-keybase-dot-io-and-encrypted-
> private-key-sharing/
> that it's the same (reversing triplesec) as reverse engineering my
> private key (not even close, by many factors).
>
> Ideally people should assign a low security rating to their keybase
> registered key pair - whether they've pushed their private key up to
> keybase or not. IMO good security requires compartmentalisation (there
> is no one-size-secures-all-solution) - if high security (long term) is
> required then a special keypair should be generated for that use. i.e.
> if someone uses my public public key to contact me and wants to secure
> communication that I rate as "highly secret for the long term" I'll
> negotiate the use of a new set of keys - preferably on a non-general use
> computer.
>
> My only requirements for encryption are:- to ensure intergrity;
> short-term secrecy of proprietary business information. Others may have
> different use cases.
>
>
> I still have plenty of keybase invites left if anyone else wants one.
>
> >
> >   -AA.
> >
> >
> >
>
> Kind regards
>
> --
>     A: Because we read from top to bottom, left to right.
>     Q: Why should I start my reply below the quoted text?
>
>     A: Because it messes up the order in which people normally read text.
>     Q: Why is top-posting such a bad thing?
>
>     A: The lost context.
>     Q: What makes top-posted replies harder to read than bottom-posted?
>
>     A: Yes.
>     Q: Should I trim down the quoted part of an email to which I'm reply
>
> http://www.idallen.com/topposting.html
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

More information about the linux mailing list