[messaging] Looking up public keys on public sites (was Re: Keybase Chat)

[Trevor Perrin]

On Fri, Feb 10, 2017 at 11:49 AM, Jack O'Connor <oconnor663 at gmail.com> wrote:
>>   (1) Keybase runs a server, so I ask the server to point me at
>> Alice's latest tweet
>
> Yes. That saves clients from having to do discovery work, and also
> gives us some options if e.g. Twitter changes something about their
> URLs.


Makes sense.  On the other hand, the discovery work for finding a
pinned Tweet with special text (or a specially-named gist, or a
well-known URL on a website) seems manageable.

And if publishing public-key info like this becomes successful you
would hope sites explicitly support it (e.g. like Facebook for PGP),
so discovery becomes easier over time.

Maybe all 3rd-party sites can't provide "statement present" and "most
recent statement" guarantees, but for sites that can, the Keybase
client could provide stronger assurances.


> By asserting her entire sigchain in each identity proof, rather than
> just one of her public keys, Alice can have many different keys on her
> account without needing 3rd party proofs for each of them. She can
> also completely rotate her set of keys, without updating any of her
> public proofs.

Note sure I follow.

If the "identity proof" was just a public key fingerprint, Alice could
still use that key to sign other public keys, right, and publish those
signatures to Keybase?

Keybase wants Alice to have different public keys for different
devices, and to evolve her active set of public keys by signing new
ones (and signing revocations about old ones, I guess?), and also to
sign bindings for 3rd-party usernames (Twitter handles, etc).

I'm wondering whether all that could be built on top of a simple
mechanism that just published some public-key fingerprint to a site?

For example, if it was a convention for Alice to pin a tweet: "Here is
latest my public key info for <application>:
<public_key_fingerprint>", would that give you everything you need?


Trevor