[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hash: SHA256

On 06/24/2014 08:28 AM, Cathal Garvey wrote:
> Wait, do you *have* to keep your private keys in keybase? I thought it was mostly pubkey operations?
> I'm much more skeptical if they keep private keys, that's dark stuff. Imagine how many private keys are protected with terrible
> passwords, and what damage you could do to the WOT if you could just quietly crack enough keys in the WOT and use them to sign
> a fraudulent cert?

You don't HAVE to, but they give this possibility. You can (if you want) store your private key in Keybase. They ask you to cypher
your private key locally and send it to Keybase's servers. If you don't store your private key in its databases, you are unable to
use some online services they offer, like to sign documents. You only will be able to do that using his NodeJS tool. But, your
point is my point. I believe serious security professionals or people that understand the importance of cryptography first don't
will send the private keys for Keybase and, second, if they do, they will use a strong password. We never must forget

But, we know average people uses very weak passwords and only one password for everything. So, as I told, a little bit of paranoya
is good, and this "feature" makes me believe a little less in Keybase, unfortunatelly. The main idea is pretty good and I'm trying
to implement this culture in Brazil for a long time, but I use to say that ordinary people don't like computers: they like Skype,
Facebook, Instragam... So, people don't care about privacy. If the same people see that movie about Asange, or read his book, or
see the last news about privacy and Google and start to learn about cryptography, they will store private keys with lame
passwords, and we'll have this fraudulent cert risc.

In my opinion, nothing will replace a good key signature party, anyway.

- -- 
| dc

Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20140624/efaca88f/attachment.bin>