[messaging] Looking up public keys on public sites (was Re: Keybase Chat)

Natanael natanael.l at gmail.com
Thu Feb 9 22:44:15 PST 2017


Den 10 feb. 2017 00:48 skrev "Trevor Perrin" <trevp at trevp.net>:


Issue (4) seems somewhat a result of Keybase's decision on issue (3).
I.e. if you just published a public-key fingerprint instead of
signatures, then size would be less of an issue and you'd have compact
statements that were easier to fit into Tweets, profile text, etc.

That would not prevent Alice from publishing someone else's
fingerprints, which is perhaps an "unknown key share" or "identity
misbinding" situation.  I wonder how much of a problem that really is
here, though, and whether it's worth the complexities that this adds?


Keybase enables username lookups across these 3rd party sites. I can share
a file to your twitter username on KBFS and they'll tell me your specified
key to encrypt to.

Under one's keybase profile they also list all accounts with published
proofs.

Without reliable binding using signatures this means that somebody can
spoof another keybase user from their 3rd party site accounts, get people
to remember the wrong username, and then change the keys on the fake
accounts and have people send messages to the wrong person.
All because people saw a twitter post appearing to belong to the reddit
user they might trust, as an example.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20170210/f451acef/attachment.html>


More information about the Messaging mailing list