[messaging] key validation rules for today

zaki at manian.org zaki at manian.org
Tue Sep 9 09:33:16 PDT 2014


Keybase uses tweets and Gists instead of bios because they are timestamped
unlike bios.

Linking in social media identities has the nice property of inheriting both
reputation to an identity from the social network and making MITM attacks
more difficult.

Keybase's client uses these machine readable certifications and a human in
the loop judgement if the social media key certifications are out of sync
with the key server. Mostly this is the case because the user failed to
complete a certification properly.

An MITM attacker would need to compromise a target's KeyBase account and a
target's social media accounts to effectively MITM a user using KeyBase .

On Tue, Sep 9, 2014 at 9:19 AM, Tony Arcieri <bascule at gmail.com> wrote:

> On Tue, Sep 9, 2014 at 9:05 AM, Tim Bray <tbray at textuality.com> wrote:
>
>> - If there's a publicly-accessible tweet or github gist verifiably signed
>> by the private key associated with the public key, and you’re pretty ​sure
>> you know who controls those Twitter/github accounts.
>>>>
>
> Or: just put your key fingerprint in your Twitter/Github bio.
>
> --
> Tony Arcieri
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/7d481d09/attachment.html>


More information about the Messaging mailing list