
Thoughts on Keybase platform? - dacodanelson
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256<p>I&#x27;ve been using Keybase since shortly after it was announced and a friend got me a beta key. However, when I say &quot;using&quot; I mean more in the sense I&#x27;ve had an account and follow a few friends to theoretically make sending signed&#x2F;encrypted messages to them easier, not in the sense that I&#x27;ve actually had much success with this.<p>Most of this I&#x27;m sure is just because I just don&#x27;t know a lot of people who use PGP&#x2F;GPG and so despite going to all the trouble of having it set up on all my devices it&#x27;s hardly useful other than signing all my emails and hoping someone will bother to import my public key and start encrypting our messages.<p>That said, I find the idea behind Keybase pretty useful and hope it catches on. Aside from linking identities on the web together and therefore making a &quot;web identity&quot; more ... verified? it&#x27;s also great because the command-line functionality means it has a ton of potential for integrating with client-side software.<p>I&#x27;m curious what others think about it though. And hey, maybe just asking about it will get some more people onto the platform and approach critical mass.<p>Input?
-----BEGIN PGP SIGNATURE-----<p>iQEzBAEBCAAdFiEEo&#x2F;ygCD0bC3KbN1au2zgk78GFdyMFAluFnaIACgkQ2zgk78GF
dyMcQwgAomQzWAkLaOok9xlGGRGZaefkUylu12SpzowBVzt32oLy9QRQcfcfwkl2
lODgUC8SZVp+PjWQ4amE27qW2PC66lAYWyFr8Md3ksxaoM6xWH389jBdHYPreWs5
mM+HIhwrg8WFPeM6pJknXDmgB7ZopFHCY9o4CDYTXrU8+B1zAiTsdcXaiigBAQKO
UphcHsVjf8wdaiQCBy3VvUHODOIq6Fmtke7v+B2G6nE1tC5xyy06YOLpD4IowGM9
9j1r+5Q7vMUrgVJboSTX2ofd4xLbXo3NSM9&#x2F;+n50ns+dYctYL1JoUMXJjClKA6Xl
lVKSlTNilio6Swd9wvU8DyywSIn3iw==
=&#x2F;Xqk
-----END PGP SIGNATURE-----
======
Nadya
I use it entirely to offload identify verification to a 3rd party so that
people, if they care, can be certain someone who has control of my private
keys, who - with great probability - _is me_ when I say it's me and sign a
message.

I also use it to show people the basics of "why encryption" and for certain
technical security aspects as it makes it super easy to have them sign up and
play around with it. Signing messages, verifying signatures, encrypting
messages, the tradeoffs of storing your private key with Keybase (and why you
shouldn't), etc.

KBFS is also really, really, really awesome. It's a shame I haven't heard much
about it since that (seemingly?) attempt at a pivot.

------
exolymph
Signal is way easier to get normal people to use.

That said, I use Keybase to link various web identities together. (I'm not
thrilled about offloading this to a third party and would like to self-host,
which I could do manually, but it would be a hassle to set up. Or a P2P
approach, which I know is being worked on.)

I have a work associate who uses Keybase for messaging so I do that too. The
Keybase Mac app leaves a lot to be desired — its UX is definitely behind Slack
or Discord. However, relying on Keybase is probably easier and safer than
making people use GnuPG.

~~~
dacodanelson
I agree about Signal for sure, actually I love it. Double Ratchet is
especially intriguing to me as forward-secrecy is something that's often
overlooked, as well as "exploding' messages. My only problem with Signal is
that while it's nice to have a more reliably verified endpoint like a phone
number for many contacts, it can't be used for communication between random
people very easily. If I want to start an encrypted conversation with someone
online I don't have to distrust them in order to be uncomfortable sharing my
phone number with them. I get enough spam calls as it is, not to mention maybe
I don't want this other person to be able to pay $10 or whatever it costs
these days to reverse trace my number. It'd be great if there could be an
ephemeral key you could generate for your profile for each new conversation
you didn't want to have with someone that shares your phone number. That's
really my only gripe with Signal.

However, Signal also is only for one thing essentially: chat. If I want to
communicate via email or even just sign this message to verify it's me, I
can't request Signal perform a signing function and generate some output so
that others can verify I sent this precise message. Well, at least they can't
verify that someone who claims in their public key declaration to be me didn't
send this precise, unaltered message, haha.

Regarding linking identities together I agree entirely. I suppose in theory
you could add subkey identities to your public PGP identity and then push
those to keyservers. Something like
[MyProfileName]@[ServiceDomain].[ServiceDomainTLD].Service or something (where
it's not a real email address or domain) but it signifies that you're claiming
that specific username at that specific service and then manually posting a
verifiable proof publicly on that service. The only downsides there are that
revocation is ... yeah. And everyone would have to agree on a standard for how
to name identities for subkeys for services and that's honestly never going to
happen.

Keybase messaging is pretty cool, I just wish it could be run from the
terminal because I'm with you on the UI. Like chat history would still be in
the GUI for review and stuff but you could spin up "keybase chat [username]"
or something in a terminal and that just runs and let's you chat IRC style or
something.

Surprisingly though I've found that teaching people how to use GnuPG for Mac
is remarkably easy because it's well integrated with Mail and things like
that. With Time Machine people really don't even have to migrate their keys
properly. Only downside is that if someone loses their private key they'll
have no idea what to do about it and again, revocation. The upshot though is
that if they're using GnuPG you get, at very least, signed emails and then
you're not outsourcing your identity to a third party like Keybase. I trust
Keybase more or less ultimately because I can't see any reason for them to do
anything annoying and they've got a great track record but trust is always
violable.

