Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: keybase.io

From: Nick Boyce <nick.boyce () gmail com>
Date: Mon, 23 Jun 2014 00:55:23 +0100
On 20 June 2014 21:22, Rikairchy <blakcshadow () gmail com> wrote:


I have a few questions regarding this website.


It's an interesting-sounding idea, with the stated goal of encouraging
greater use of OpenPGP by "ordinary" folks who commonly find GPG too
"difficult" to use.


There is an option to create as well as upload your
private key ... but I was under the impression
that the private key was the last thing you should
part with. Why would a website focused on providing
security allow users to upload their private keys?


As you say .... this is the bit that most readers are finding
mystifying, horrifying, and alarming.  Why would you do that, and why
would they want you to do that ?!?

There was a discussion about it earlier this year (April) on the
debian-project list, which you might find informative :
https://lists.debian.org/debian-project/2014/04/msg00001.html

It linked to this blog post which is also an interesting read :
http://blog.lrdesign.com/2014/03/thoughts-on-keybase-io/

One possibly relevant point to emerge from that post is that the
keybase.io developers are some of the developers of the dating website
OkCupid.com, which is mildly infamous for (AFAIK) refusing to
implement SSL protection for its users in the wake of the release of
FireSheep et al.

Cheers,
Nick
-- 
Never FDISK after midnight

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: