[messaging] twitter and github as key validators [was: Re: key validation rules for today]
Tao Effect
contact at taoeffect.com
Tue Sep 9 14:14:38 PDT 2014
On Sep 9, 2014, at 2:09 PM, Tao Effect <contact at taoeffect.com> wrote:
> The lookup would proceed to those services, to which the keys are not pinned, so the scope widens a bit again, just enough to include the Five Eyes, the host companies themselves (twitter and github), and anyone who hacked them.
[..]
> - For maybe <1%, it could provide false answers.
Oops, correction: if keybase pins their cert (and it's not compromised), then it would be able to detect false answers from twitter and github (even if they were compromised).
The downside of a centralized service, however, is that it then becomes a single point of failure, and the incentive for malicious entities to attack it becomes greater.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/ea533bad/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/ea533bad/attachment.sig>
More information about the Messaging
mailing list