2014-03-24

Public key crypto

I recently received an invite for keybase.io. For those of you that haven't looked into it, it boils down to a public repository of public keys attached to certain geeky identities (Github and Twitter, for now). It's a new way to build a web of trust.

Where keybase.io shines

It is easy (relatively speaking) to install the tools and create your identity. It's easy (again, relatively speaking) to verify your identity on the two public sites that they've picked for verification. The UI is much prettier than the open keyservers that we already had. For example, keyserver.ubuntu.com is obviously written by geeks, for geeks as is pgp.mit.edu.

It's easy enough to invite your friends (if you have invites, that is) and publicly track them.

The most important piece that Keybase brings to the table is some minimal verification. With the public keyservers, you generate a key attached to an email address, then upload it to a keyserver. There's nothing that verifies that you actually own that address. With Keybase you've got a key attached to an email address and to a Twitter account and a Github account.

Where keybase.io fails

Unfortunately, this is a longer list.

It is relatively easy to install. It is far from easy. It requires command line access and node installed, which is far from trivial for non-geeks.

They don't really tell you what tracking means. When you track someone, you're saying that you vouch for their identity. There are plenty of people that I "know" on Twitter that I've never met in real life. They may or may not be who I think they are.

They encourage you to upload your private key to their server. You should never give your private key out to anyone, no matter how much you may trust them. They make a big deal about how they encrypt it and never see it, but you're expected to just trust them. They seem on the level, but for all that I know they're nothing more than a front for the NSA to get your private keys.

Once you've connected with others and verified their identity, what then? For most people, cryptography is another step in the way of communicating with people. I doubt Keybase will convince many people to start encrypting their communications. Hopefully it will at least convince people to start signing their git commits. But without a plugin for Gmail and Outlook, I doubt many people will even be bothered to sign their emails, much less encrypt them.

While it's easy enough to connect to people you know once you find them, it's not particularly easy to find them in the first place. This might be just because it is still in alpha. Hopefully they'll allow you to search your Twitter friends. Seems like an oversight since Twitter is one of the ways to verify your identity.

Overall thoughts

I doubt Keybase will ever fully replace the existing public key infrastructure. It's pretty easy to verify identities there, but there's not much value-add over a prettier front end to the existing solutions. I hope there's a lot more to come as it leaves alpha.

That being said I really hope that it takes off in a big way. Our email may be sent in the clear and stored in the clear. It was never really designed to avoid being read by third parties. Hopefully recent disclosures about the NSA make people realize that their communications are not safe. If just one more person protects their communications from spying, Keybase will have been a success in my eyes.

2 comments:

  1. I agree with your assessments. The one thing that would make Keybase suddenly be far more useful. Would be if they would publish themselves as public keyservers - like all the existing servers. So that it possible for existing tooling to use it.

    ReplyDelete
  2. Exactly! The verification that Keybase adds is useful, but we've already got a bunch of tools in place.

    ReplyDelete