
New Cryptographic Tools on Keybase - tosh
https://keybase.io/blog/crypto
======
Reisen
I use Keybase as a daily driver and I really love the platform, but almost
every other chat client I use when switching from Keybase feels butter smooth
in comparison. These tools look like a great addition, and the Stellar
integration is something I think has a lot of potential if it ends up being
able to manage other wallets as well.

I just really wish more love would go into the UX of the application. I have
duplicate undeletable conversations with contacts, duplicate folders in KBFS
that I cannot delete or access which cause I/O errors in tools that do full
system scans. I keep running into errors in the UI with obscure error codes
that I keep reporting to no avail. There are currently 3,292~ open issues on
Github at the time of writing so it's difficult to track what the team is
focusing on.

Everything feels just a little too janky.

Still, I don't believe there is any other decent alternative to Keybase that
offers the same identity based mechanism for communication, and Keybase
absolutely nails that. I can message half the users on HN with very little
friction. People can encrypt and send me documents without registering with a
single page view. A bit of polish and I think Keybase could shine, but right
now It's hard to suggest as a Slack alternative.

~~~
insomniacity
I'm with you. I feel like Keybase are the only people actually innovating on
"usable cryptography", except maybe Signal?

Just needs a bit more polish.

~~~
WorldMaker
Polish and a better sense that their long term business model makes the most
sense for the sort of infrastructural platform they want to be. Cryptography
infrastructure seems like something that should be delegated to something much
more like a 501(c)3 than a for-profit corporation.

~~~
rch
I'll settle for a for profit corporation that guarantees that I don't have to
trust them... Not sure that's Keybase, but I'm curious.

------
malgorithms
As an example of the magic referred to in the post, here's some encrypted text
that could be read by `pg` here on HackerNews:
[https://pastebin.com/raw/bxRaymaB](https://pastebin.com/raw/bxRaymaB) . As
explained in the article, the unlocking step trusts HackerNews at one step in
the process.

P.S. I'm the blog post author. BEGIN KEYBASE SALTPACK SIGNED MESSAGE.
kXR7VktZdyH7rvq v5weRa0zk7RUjCs bLeGBWHRNe047t1 63n5tVSjvbZwtwt
nQVqdDHEZIR4kgD PpRDesKecb1Y4U2 jcnOUuLfKvsiGZY PP7SbO79zoRFEuv
e8gXRm44Brjfdym iwy2mGXI9VW5PDf WMxwJdTflgruGMK SUkEhjqwUOEc8KR
AC6aF8iJadgq3bz oGMLpY750H1Deus EGPgtQQVIeh05mx HY7K3oFOn3SjeS3
cL1duil9YgmZi1y zKu3bfFSbjelgzc 5UMZ42xTJJs0gT. END KEYBASE SALTPACK SIGNED
MESSAGE.

~~~
bloopernova
Should I, a random Keybase user, be able to read that saltpack signed message
in your comment? (I can't, I'm assuming that's correct)

EDIT: sorry, my bad, I was using Decrypt instead of Verify.

------
Meph504
To be honest, as neat as it sounds, I could very easily see this being banned
from a lot of platforms. Its disruptive to any community to have some parts of
the messaging being inaccessible on that platform. Keybase own terms and
services requires their users to use their services in accordance with the
law, so that puts growing number of countries where these messages will be
impossible to ever access.

And from an archive standpoint, in 20 years, no one is going to appreciate
walls of text encrypted on a system that may no longer exist.

I'm not saying that I don't approve of the tools, or the concept, but I think
the implementation and this envisioned usage are off.

I don't think I would have launched this without an accompanying browser
plugin that could handle the decryption and verification in place, but even
that only solves have the problem.

~~~
nickik
A plugin exists I think

------
FullyFunctional
Looks like I’m alone in my sentiments; Keybase is my favorite messaging app.
#1 reason is that it has the best cross platform behavior I’m seen (but I need
a RISC-V version). However every feature addition fills me with angst that
it’ll add more unwanted bloat.

------
bloopernova
I wish Keybase had a couple of extra features:

Ability to use it as an SSO authority. You could grant certain access to new
employees, who have already proven their identity in Keybase. Imagine having
your own identity that can be given roles by multiple organizations.

Ability for Bitwarden to use Keybase as its store.

A way to store your homedir in Keybase's filesystem.

A way to use Keybase as a development space. Imagine Alice gets a job at
Corporation X. She's given the "programmer" role. That automatically makes
Docker images, Jenkins access, Artifactory access, Git repos, other relevant
software, all through KBFS. You could even use KBFS as the store for Jenkins
and Artifactory. As Keybase already has PGP/GPG support built in, signing
commits in Git would also work smoothly.

(I really like Keybase, I just hope it can continue to grow, fix bugs, and add
features)

~~~
nickik
The SSO thing really needs to happen. Its perfect for it.

There was already research done on this by a third party. And they showed that
it works but didn't open anything up as far as I know.

------
dependenttypes
I would not trust any tools made by keybase after triplesec. See
[https://news.ycombinator.com/item?id=9655245](https://news.ycombinator.com/item?id=9655245)
and
[https://news.ycombinator.com/item?id=6420739](https://news.ycombinator.com/item?id=6420739)

> However, if she joins Keybase and proves her Twitter account

Seems like something that can easily be abused by keybase.

~~~
tristador
> When she someday establishes keys, and cryptographically proves her Twitter
> account, the Keybase servers will ping my apps and ask for me to make
> available the decryption key to her. My app will check the signed statement
> from myself, check her tweet, make sure the proof is valid, and then send
> the decryption keys to her, encrypted for her device keys.

> Keybase is not a trusted man-in-the-middle here, and no one else has keys.
> The only weak link here is Twitter: my assertion is like this, in English:
> “once someone who owns the @billieeilish Twitter account publicly proves a
> Keybase connection, I'll unlock it.” If Twitter gives that account to
> someone else or takes control of it, I'll be trusting Twitter's answer.
> @billieeilish is not yet a human. She's a Twitter account.

That seems decent at first pass. Keybase could maliciously not notify about
her joining keybase, but everything after that seems like it follows a
cryptographic path.

Is your concern that their code is improperly implemented (which seems the
concern cited for triplesec)? I'm not seeing the abuse risk. Any pointers?

------
fourstar
I think Keybase is a bit ahead of its time.

------
dmerrick
BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. kiNJamlTJ29ZvW4 RHAOg9hm6h2eHRE
3lGMepOBsADbesY QiIisNmlv3oKZNW UD08OhMsrOIUK5O KuOTXfmv9omvViX
18jJPe9E9KpfSk7 xQ1jfIyJWFnfh6k h78GwAnyNDb3cTD JQASMD9FGLUUSON
qxBCKGQM0fPvcQU 0DgPBCJBaFJb4fj X6zImVnRIRVooQ1 urMBI3NtQic7qe3
vj071LT7tCUBMHl 7Oo4S7YkMnWfvPE ETbAxt1uHPdJA31 oJdHxoa4sy4bBVq
MYKsjB6jcL6ZyzE y5GRzJBA6xw0fPy CdZD9zjqrN8NFzc KwejHPHFkpFrP7O
849KXzT2tR09vVW qRClL7ewfCVUzpL 65K6x44R7dYnUqE XCgcrH16Hc4Fw2Y
tXuV16VKzA9gW2C J8RXsWJHX8afoUj xuwcth22jxKMRAv gW4sUtXcWxwRDsW
fvgqtErWXxFDG4B m76cMOEaAESxy5O xdhfddDY9UTdiex Bz6oF35JK3hq8qf YDvYB. END
KEYBASE SALTPACK ENCRYPTED MESSAGE.

