[messaging] WhatsApp & OWS team up

John-Mark Gurney jmg at funkthat.com
Tue Nov 18 17:11:40 PST 2014

Tim Bray wrote this message on Tue, Nov 18, 2014 at 16:41 -0800:
> On Tue, Nov 18, 2014 at 3:48 PM, Tony Arcieri <bascule at gmail.com> wrote:
> > On Tue, Nov 18, 2014 at 12:29 PM, Maxwell Krohn <themax at gmail.com> wrote:
> >
> >> Storage and availability is centralized, but not trust.  Clients don???t
> >> trust the server.
> >
> >
> > This isn't true. A server is authoritative for a user's latest key
> > fingerprint. In the event of a key compromise, a user needs to update their
> > key, but a malicious key server can perform an attack by continuing to
> > serve the compromised key.
> >
> ???As the author of working client code, I???m pretty sure that this is true,
> actually.  You search Keybase and discover a public key you can download
> and associated pointers to ???proof??? assertions.  So you download the public
> key and that???s the end of your conversation with Keybase.  You go and fetch
> the posts from Twitter & GitHub & Reddit & so on and check whether those
> posts are actually signed with that key.
> Empirically, the key exists, and it is verifiable, without consulting
> keybase, that at certain points in time the corresponding private key was
> in the control  of some entity that also controlled certain
> Twitter/Reddit/GitHub accounts.

Can you always delete that proof assertion for related services? and
is it a fatal error for that proof not to be present?  i.e. prevent
someone from using a compromised key?

  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the Messaging mailing list