[messaging] WhatsApp & OWS team up
jmg at funkthat.com
Tue Nov 18 17:11:40 PST 2014
Tim Bray wrote this message on Tue, Nov 18, 2014 at 16:41 -0800:
> On Tue, Nov 18, 2014 at 3:48 PM, Tony Arcieri <bascule at gmail.com> wrote:
> > On Tue, Nov 18, 2014 at 12:29 PM, Maxwell Krohn <themax at gmail.com> wrote:
> >> Storage and availability is centralized, but not trust. Clients don???t
> >> trust the server.
> > This isn't true. A server is authoritative for a user's latest key
> > fingerprint. In the event of a key compromise, a user needs to update their
> > key, but a malicious key server can perform an attack by continuing to
> > serve the compromised key.
> ???As the author of working client code, I???m pretty sure that this is true,
> actually. You search Keybase and discover a public key you can download
> and associated pointers to ???proof??? assertions. So you download the public
> key and that???s the end of your conversation with Keybase. You go and fetch
> the posts from Twitter & GitHub & Reddit & so on and check whether those
> posts are actually signed with that key.
> Empirically, the key exists, and it is verifiable, without consulting
> keybase, that at certain points in time the corresponding private key was
> in the control of some entity that also controlled certain
> Twitter/Reddit/GitHub accounts.
Can you always delete that proof assertion for related services? and
is it a fatal error for that proof not to be present? i.e. prevent
someone from using a compromised key?
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the Messaging