<div dir="ltr"><div class="gmail_default" style="font-size:small">On Tue, Sep 9, 2014 at 1:00 PM, Ruben Pollan <span dir="ltr"><<a href="mailto:meskio@sindominio.net" target="_blank">meskio@sindominio.net</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">> 2) You want to communicate with me, Tim Bray, and go looking for a key for me.<br>
> You discover that there is a directory of keys, and you can retrieve a public<br>
> key from it, and the corresponding private key has been used to sign a<br>
> time-stamped tweet from @timbray and gist from github/timbray and an assertion<br>
> at <a href="http://tbray.org" target="_blank">tbray.org</a>, and because you know who I am on Twitter and github and what my<br>
> personal domain is, and you can check the signatures, you are prepared to<br>
> believe that that public key is appropriate for communication with me.<br>
<br>
</div></div>Yes, but I don't have any way to audit twitter or github. As dkg is mentioning<br>
in his email you are putting them in the role of a CA without their consent.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">The role of a CA?!? Not in the slightest. You are piggybacking on their authent system using public-facing well-documented interfaces. Confidence in key ownership isn’t absolute, it’s statistical. “Here is some evidence, you can choose whether or not to be convinced.” For my purposes, tying a key to the ownership of this sort of public-facing account is practical and useful evidence. The nice thing about the system is that you don’t have to trust the directory in the slightest, and you really only have to trust the proof statements in aggregate. </div></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I haven’t made up my mind about the actual <a href="http://keybase.io">keybase.io</a> project yet (among other things it’s unclear what they want to be) but the directory-that-you-look-evidence-up-in-but-don’t-have-to-trust feels like the only credible new thing in key discovery I’ve seen in a loooooong time.</div></div><div class="gmail_default" style="font-size:small"></div><br>
</div></div>