[messaging] WhatsApp & OWS team up

Maxwell Krohn themax at gmail.com
Tue Nov 18 12:29:19 PST 2014 

> On Nov 18, 2014, at 3:01 PM, Tao Effect <contact at taoeffect.com> wrote:
> 
>> ​And I will, as seems to be *my* role here, ​recommend checking out keybase.io, which you can use without trusting, and provides what smells to me like extremely practical probabilistic key<=>person mapping confidence.
> 
> Keybase is about as good as you can get with a centralized system.

Storage and availability is centralized, but not trust.  Clients don’t trust the server.
And we write server state to the Bitcoin blockchain every 6 hours so the server can’t
maliciously rollback (https://keybase.io/docs/server_security/merkle_root_in_bitcoin_blockchain)

> However, it creates an system that ends up being not very user friendly (especially when it comes to replacing lost or stolen keys). It's also a central point of failure.

Usability in the case of lost keys is ugly in almost any system I can think of.  Our current
plan is that if you lose your key,  just delete your proofs and start all over.  We do
need better UX for that and everything else, of course.  And we’re working on per-device
keys for our next release.

Keybase need not be a central point of read failures, since our API and public data are wide-open
to mirrors. The biggest lock-in of Keybase is a centrally-managed namespace, but we’re hoping
this is a worthwhile trade-off to achieve greater adoption.

> And, for whatever reason, they replace personal everyone's email with their own @keybase.io email address, so your emails all go through their servers. As a centralized platform, I won't be surprised to see more of these walled-garden lock-in type things.

There are three cases.  If you show up with your own PGP key, you can either push it to the server
unmodified; or if you trust our client, you can add a you at keybase.io email address to your PGP
key.  If you don’t have your own key, we generate one with you at keybase.io. Our goal
here is  to prevent spammers from harvesting email addresses.  We’re not 100% sure this is
the right decision, but it seems like the polite one, and one that we can revisit in the
future.

Let me add my congrats to the TextSecure team, awesome news.

BTW, if anyone wants to hack on Keybase, we have plans for a new application
and a new release of all client software.  We’re still a very small operation (2 of us)
and self-funded, but we’re looking to expand aggressively in the coming months.
E-mail me for more info and we can discuss off-list.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141118/198f08b5/attachment.sig>

More information about the Messaging mailing list