[messaging] twitter and github as key validators [was: Re: key validation rules for today]
bascule at gmail.com
Tue Sep 9 13:09:17 PDT 2014
On Tue, Sep 9, 2014 at 9:35 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> 1) i regularly communicate with "foo" on twitter, and i want to know
> how to communicate with the author in other communications channels.
> I think the proposed publications only (marginally) addresses use case
If you have your key fingerprint published through many channels, someone
concerned with actually verifying your key fingerprint can check them all
to ensure they match. If there's a discrepancy, something is probably amiss.
Perhaps an attacker managed to compromise them all and update your key
fingerprints in all locations to confuse a victim into sending the attacker
an encrypted message. Sure, it's not a great solution. It's an OK solution,
however. Certainly better (from a security, not usability perspective) than
Short of things like Google's proposed CT-alike for E2E looking for
dishonest Key Directories, I'm not sure how you do better.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging