Keybase.io

[maxtaco]

Yes to DNS, though we have to be careful here since DNS can be spoofed more easily than github or twitter proofs over https. I was thinking a slightly better way to prove ownership of foo.com would be to post a proof at https://foo.com/_keybase (or something similar). To spoof this, an attacker would have to spoof DNS and also the https certificate.

Authenticating a self-signed domain certificate via keybase is a neat idea, but would probably need some browser support, unless there's a clever hack that I'm not thinking of.

[mike-cardwell]

Have you heared of PKA? https://grepular.com/Publishing_PGP_Keys_in_the_DNS

If you want to encrypt a message to my key, just run the following command:

  gpg --auto-key-locate pka -ea -r mike([-dot-])cardwell([-at-])grepular([-dot-])com

It will automatically look up my PGP key in the DNS, fetch it, and encrypt to it. My DNS is secured using DNSSEC so if your resolve supports DNSSEC, you can be reasonably sure that the response is trustable.

  mike@glue:~$ dig +short txt mike.cardwell._pka.grepular.com
  "v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=http://grepular.com/0018461F.pub.asc"
  mike@glue:~$

[giovannibajo1]

Well if an attacker is successfully spoofing DNS, she can spoof MX records, thus getting emails for the domain, which is the only precondition on acquiring a certificate. You're obviously adding more complexity, butt security-wise it doesn't change much

[maxtaco]

Agreed.

[kyrias]

Not with DNSSEC, and the second part is covered by DANE.