[messaging] twitter and github as key validators [was: Re: key validation rules for today]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 9 09:35:17 PDT 2014


On 09/09/2014 12:19 PM, Tony Arcieri wrote:
> On Tue, Sep 9, 2014 at 9:05 AM, Tim Bray <tbray at textuality.com> wrote:
> 
>> - If there's a publicly-accessible tweet or github gist verifiably signed
>> by the private key associated with the public key, and you’re pretty ​sure
>> you know who controls those Twitter/github accounts.
> 
> Or: just put your key fingerprint in your Twitter/Github bio.

I'm afraid i don't understand the argument here.  What is the use case here?

 0) something is published on twitter account "foo" and i want to know
to whom to attribute authorship.

 1) i regularly communicate with "foo" on twitter, and i want to know
how to communicate with the author in other communications channels.


I think the proposed publications only (marginally) addresses use case
(1) above, and fails utterly at use case (0).

This fails use case (0) because it's easy enough for me to create a
twitter account and put someone else's fingerprint in the new bio, and
to republish an arbitrary signed tweet.

If this somehow establishes that tweets from "foo" are from the person
i've targeted, then framing this person is trivially easy.

it partially fails at (1) as well, mainly because you're now relying on
the administrators of twitter and github to act as certificate
authorities, which is a role that they have not signed up to do at all,
and may not even have considered.  If you think that the weakest link in
the CA cartel probably has bad internal controls, do you think they're
actually worse than those of twitter and/or github?

As a piece of corroborative evidence, considered thoughtfully, twitter
and github are surely useful.  As a mechanism for solo key validation,
it seems weak to me.

	--dkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/048eb2f4/attachment.sig>


More information about the Messaging mailing list