[messaging] twitter and github as key validators [was: Re: key validation rules for today]

Tao Effect contact at taoeffect.com
Tue Sep 9 14:14:38 PDT 2014

On Sep 9, 2014, at 2:09 PM, Tao Effect <contact at taoeffect.com> wrote:
> The lookup would proceed to those services, to which the keys are not pinned, so the scope widens a bit again, just enough to include the Five Eyes, the host companies themselves (twitter and github), and anyone who hacked them.
> - For maybe <1%, it could provide false answers.

Oops, correction: if keybase pins their cert (and it's not compromised), then it would be able to detect false answers from twitter and github (even if they were compromised).

The downside of a centralized service, however, is that it then becomes a single point of failure, and the incentive for malicious entities to attack it becomes greater.

Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/ea533bad/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/ea533bad/attachment.sig>

More information about the Messaging mailing list