[messaging] twitter and github as key validators [was: Re: key validation rules for today]

Tony Arcieri bascule at gmail.com
Tue Sep 9 13:09:17 PDT 2014

On Tue, Sep 9, 2014 at 9:35 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>

>  1) i regularly communicate with "foo" on twitter, and i want to know
> how to communicate with the author in other communications channels.
> I think the proposed publications only (marginally) addresses use case
> (1)

If you have your key fingerprint published through many channels, someone
concerned with actually verifying your key fingerprint can check them all
to ensure they match. If there's a discrepancy, something is probably amiss.

Perhaps an attacker managed to compromise them all and update your key
fingerprints in all locations to confuse a victim into sending the attacker
an encrypted message. Sure, it's not a great solution. It's an OK solution,
however. Certainly better (from a security, not usability perspective) than

Short of things like Google's proposed CT-alike for E2E looking for
dishonest Key Directories, I'm not sure how you do better.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/a82fcbea/attachment.html>

More information about the Messaging mailing list