Task: Send me a tweet on Twitter. Careful not to send it to any imposters.
Challenge: Finding me on Twitter. For example, I am not @Nadya
Extra Credit Challenge: Let's say I'm e-famous enough to have imposter accounts but not have a Twitter "verified" badge. Which Twitter account is the real me? And how do you know?
Where Keybase comes in: On my HN profile itself you can find my signatures on Keybase. Keybase is not necessary for these signatures but becomes a convenient place to look. You also do not need to trust Keybase; although in practice many people will. Don't lie to me and tell me you'd verify the keys. :)
Now you can go directly from my HN profile to my Twitter profile and tweet at me knowing that I am who I say I am. Or at least the individual posing as me has access to three of my accounts (HN, Keybase, and Twitter) and that you'd at least be talking to the same person.
The social proof and web of trust bit is where Keybase falls down but that's an inherit flaw of the web of trust (key exchange parties aren't as popular as they used to be and people will sign/trust keys of people they've never met IRL). Ultimately you'll have to trust that the people who follow me on Keybase are certain beyond a reasonable doubt that I am who I say I am. From there, you can trust the social proofs.
I personally use it so that people can find me on other services more easily and know that they are speaking to me.
The obvious question is: "Isn't that what a domain is for?"
And the answer is a lot of the New Famous don't have domains to list canonical social media profiles on. They exist solely on silos like YouTube, Twitter, Facebook, and Instagram with no way to connect to their fanbase without it.
If you have an account on N different sites, and you want to let people identify you between each of those, linking directly requires (N-1) links per profile, or N*(N-1) links total. When you create a new profile elsewhere, you need to update your profile on each of the N original sites, plus add N links in your profile at the new site.
Or you could collect all of your identities into a Keybase profile, which all of your other profiles link to. That's a lot less to manage. Plus, proving your identity at some site (usually) has the byproduct of pointing back at your Keybase profile, so even if you come at this just from a "less work for me" angle, you're getting verifiability for free.
Or you could collect all of your identities in one other central place (say your website or HN) and link to the central place from all other profiles. Because that is exactly the scenario you just mentioned. Having direct links to all other profiles isn't solved by keybase. The only thing it provides is a central place for profile links – and there are obviously other ways to achieve this.
Sure, but if you look at how Keybase is verifying the information and how it is presenting that trust to external users, I feel that the value they are providing has increased greatly over a static page listing social network IDs.
If someone hacks your HN account they could redirect the Twitter link elsewhere. If the only 2 accounts you have are HN and Twitter then Keybase doesn't solve that problem, but if you have more accounts elsewhere that are well-known, those extra accounts then prove that the HN<->Twitter connection is valid.
If everything links to everything, that's an n^2 problem (and hard to coordinate actors to do). If everything just links to one service, that's n or 2n at most.
Also, I can write the name of any twitter account in my HN profile. I can only link _my_ twitter account to a keybase account I own.
Right, but if your Twitter account links to your HN account then you've proven ownership both ways. If you don't want the n^2 problem then just have a list of all your accounts on one site and link there. Say, for example, your Mastadon account.
It comes with some issues, namely that I suck at keeping it up to date and that not all identities I would like to list there have a way for me to provide proof beyond my word alone. For most use cases and attack vectors I consider this sufficient enough. Now this is outside most peoples' threat models, but Keybase also provides some mitigation against some other scenarios.
1) If nadyanay.me becomes compromised the imposter could update /identities.html with a new and fake list and I would need to update my link everywhere it is used or I would be pointing people to the imposter list. I have more faith in both (a) Keybase is less likely to be compromised and (b) in the event Keybase has become compromised someone will notice. Nobody would notice if my personal site was compromised, as even my closest friends don't regularly browse my website. It could honestly take weeks or even months to discover the file had been changed.
2) A person who compromises my account(s) must also have access to my private key in order to sign messages in my name. This is important because even if any of my accounts is compromised they're still unable to prove they are me if asked. This is something I actively practice with a few online friends of mine. We pretty regularly lend large sums of (virtual) game cash to one another worth in the range of $10,000-$15,000 USD if RWT'd. The last thing either of us would want is an imposter asking to borrow some money in-game from them and selling it off and so anytime we ask to borrow some in-game cash we ask to see a signed message. I admit that's the primary reason behind most of my signed messages...
3) Any attempts at creating a new key will allow users to see that my key has been revoked and replaced. Users who had signed my old key would need to re-verify with me that my new key is valid. Social engineering and people's casual use cases means the imposter would just claim to be me and most people would believe them. Few would bother verifying but it at least provides an additional opportunity for the imposter to be outed.
I think their goal is to do everything (or a large subset of things) Slack/Google Drive/GitHub can do, but with end-to-end encryption and easy discovery (look someone up no matter where on the internet you know them from).
The remote git repo feature is nice. But from what I understand, the primary use is to serve as proof of identity. They have other products like a chat app for individual or team use, file storage, PGP operations, and more. All e2e encrypted.
I trust them* more than slack. So I use it to send credentials for to fellow developers as well as files that I want to share with specific individuals.
*Maybe I shouldn't trust them more than Slack? But I know from experience with pen testers that a password in Slack causes all kinds of problems.
Do you have a PGP key? No, because it's a hassle. With Keybase it isn't anymore. You can sign stuff and encrypt stuff without telling people to install obscure software anymore.
