[messaging] Looking up public keys on public sites (was Re: Keybase Chat)

Trevor Perrin trevp at trevp.net
Wed Feb 22 13:08:17 PST 2017


On Tue, Feb 14, 2017 at 10:31 AM, Jack O'Connor <oconnor663 at gmail.com> wrote:
>> If the "identity proof" was just a public key fingerprint, Alice could
>> still use that key to sign other public keys, right, and publish those
>> signatures to Keybase?
>
> Yes that could work. I guess on the Keybase side things might be
> exactly the same, a chain of signed statements that include all the
> same associated data. The main difference would be that the 3rd party
> proof wouldn't be explicitly bound to those statements, but instead
> could be usable with any such chain (maybe across entirely different
> apps) that included signatures by the right private key.
>
> The main downside I can think of is the attack I mentioned above,
> where Bob steals Alice's key and uses it to make it look like his
> Keybase account owns her Facebook account, without actually needing to
> compromise anything on the Facebook side.


You could include the Keybase username into the fingerprint hash, but
maybe having it in the published statement (tweet, post, etc) makes
lookups easier?

If that's the case, maybe the Keybase tweet format is a good general
format, since it can publish a triple (application, identifier, hash)
=

"Verifying myself: I am <identifier> on <application>. <hash>"

An (identifier, hash) pair would let you lookup and authenticate any
blob of data (a raw public key; a set of public keys; proofs;
usernames; etc).


> I'm curious whether you're thinking about some kind of open standard
> for key assertions across apps?

Vaguely.  It might be interesting if someone could figure out how to
publish statements about latest keys across popular social sites, in a
generic / discoverable way that doesn't require extra infrastructure.
But not sure I'm motivated enough to research this myself.

Trevor


More information about the Messaging mailing list