Keybase.io(tbray.org)
tbray.org
Keybase.io
https://www.tbray.org/ongoing/When/201x/2014/03/19/Keybase
116 comments
What I think that they get very right is tying keys to social identity, as these networks function much better as a web of trust than the original PGP version. But I don't know why I can't shake the feeling that this is not a trustworthy service.
One really nice aspect of keybase is that it can be used at a number of different levels that suit one's own flavor of paranoia. You can use it as a key repository, just grabbing people’s keys and using your own PGP/GnuPG apparatus for signing. Or you can use their (much more pleasant) CLI and see their social identity tracking data. Or you can use their web UI just for client-side encryption/verification (also without uploading your key anywhere). Finally, the bold can upload their keys and use the web UI for the whole shebang, including decrypting/signing.
I think paranoia is warranted in this day and age, and I think one of the best outlets for paranoia is for people to try and educate themselves about privacy technology. Keybase is a great opportunity for that, since all of the most sensitive operations happen client-side via open source software.
I think paranoia is warranted in this day and age, and I think one of the best outlets for paranoia is for people to try and educate themselves about privacy technology. Keybase is a great opportunity for that, since all of the most sensitive operations happen client-side via open source software.
Someone could serve a Javascript encrypter-decrypter app from IPFS so it would be certainly the same whenever you accessed it with the same URL.
Love the service.
I've invited few friends (from the IT industry) and nobody ever joined. I guess there aren't so much paranoid/gpg-aware people.
So I have 10 invites to give. Let me know.
I've invited few friends (from the IT industry) and nobody ever joined. I guess there aren't so much paranoid/gpg-aware people.
So I have 10 invites to give. Let me know.
Hey I'd really like an invite!
[hello (at) arthurcolle.com] if you have any more :)
[hello (at) arthurcolle.com] if you have any more :)
This comment demonstrates everything that is disappointing about GPG. Went to a Defcon London meetup recently and there was only about 10 people in the room who actively used it (out of over 100)
Same for me, invited some selected friends who I thought could use it, but even those who signed up, never really finish setting up.
On the other hand did find some interesting new contacts there.
Have 4 invites if people still need!
On the other hand did find some interesting new contacts there.
Have 4 invites if people still need!
Could I have one, please? Thanks in advance
Sure, have 1 left, what's your email?
I wouldn't mind taking an invite of your hands, if you like. :) My email is [email protected].
I'd love to give it a go if you have invites left.
[email protected]
[email protected]
I also have some invites. Let me know if you want one!
I know I'm late to the party, but I'd love a keybase.io invite if you still have any. My email is in my profile.
I'd like one :) [email protected]
[deleted](1)
Any chance I can get one? [email protected]
[deleted]
Same with me.
I'd like one please :).
You rule. Thank you.
I have four^Wtwo invites available, if anyone's interested. Message me via email. FIFO and all that.
Edit: invites are gone. Try emailing the project leaders for some.
Edit: invites are gone. Try emailing the project leaders for some.
They're also very prompt and responding to fixing bugs. E.g. https://shkspr.mobi/blog/2014/12/disclosed-minor-bug-in-keyb...
Excellent service which makes determining keys much easier.
Excellent service which makes determining keys much easier.
Oh cool - thanks for linking to that. I actually think the Github discussion that followed on Express was a good example of how people can actually collaborate well on software. In this case it just led to resolving a misunderstanding on my part: https://github.com/strongloop/express/issues/2464
At the bottom you can see I tipped some BTC. I recommend everyone should have a little balance of cryptocurrency to throw out thank yous to project managers who take the time to explain usage. It's worth a lot to you, so you should give some back.
At the bottom you can see I tipped some BTC. I recommend everyone should have a little balance of cryptocurrency to throw out thank yous to project managers who take the time to explain usage. It's worth a lot to you, so you should give some back.
I have 8 invites, let me know if you want one (see my profile). I would be extra happy if you could send me a lobste.rs invite :).
Edit: it turns out that my wife also has 8, so I'll forward once mine are gone.
Edit 2: my lobste.rs wish is fulfilled, thanks! We still have some invites left.
Edit: it turns out that my wife also has 8, so I'll forward once mine are gone.
Edit 2: my lobste.rs wish is fulfilled, thanks! We still have some invites left.
Ooh, also have invites if anyone wants them. Hadn't heard of lobste.rs, but seems cool if I could get an invite there in return, as well :)
If you have anymore left, I would appreciate one: rahool @ tuto.io . Thank you!
I have 10 and will also trade for a lobste.rs invite :)
(keybase proof and link to my social stuff in my profile)
(keybase proof and link to my social stuff in my profile)
I have lobsters - check your inbox. :D
Ditto.
I've got 8 invites available. If you have a lobste.rs invite, I'd appreciate one but I'm happy to give the invites away besides.
https://keybase.io/bbrown
https://keybase.io/bbrown
[deleted]
[deleted]
6 first-come, first served invitations.
I love the idea of Keybase and wish more people were using it. While it's not a replacement for keysigning parties, it's a nice probabilistic model for casual security.
I love the idea of Keybase and wish more people were using it. While it's not a replacement for keysigning parties, it's a nice probabilistic model for casual security.
If you run out of invites for HN folks, email me. (I'm https://keybase.io/chris).
We're working pretty hard on Keybase. For the last year it was just 2 of us (me and https://keybase.io/max) , but some amazing people just joined the cause and we're building a much better service. Our Go client, for example, is almost on feature parity with the old Node reference client, and we've started working on a nice OSX GUI.
A lot has been written about PGP and its shortcomings, and we agree with pretty much all the points: client integration problems, usability, the WoT just sucking, key management, revocations. So far at Keybase we've attacking one of the most important problems with PKI in general, not just PGP: getting the right key for someone. But it's really only one piece.
I don't want to (yet!) give away too much of what we hope to launch later this year, but there's nothing about Keybase that's specific to PGP. Or chat - which people seem to get hung up on. We think we're in a very good position to release open source software that makes people's lives more secure and more convenient. Everything from financial transactions, chats, and releasing public software should be easy with a PKI. It's just not working yet.
We're working pretty hard on Keybase. For the last year it was just 2 of us (me and https://keybase.io/max) , but some amazing people just joined the cause and we're building a much better service. Our Go client, for example, is almost on feature parity with the old Node reference client, and we've started working on a nice OSX GUI.
A lot has been written about PGP and its shortcomings, and we agree with pretty much all the points: client integration problems, usability, the WoT just sucking, key management, revocations. So far at Keybase we've attacking one of the most important problems with PKI in general, not just PGP: getting the right key for someone. But it's really only one piece.
I don't want to (yet!) give away too much of what we hope to launch later this year, but there's nothing about Keybase that's specific to PGP. Or chat - which people seem to get hung up on. We think we're in a very good position to release open source software that makes people's lives more secure and more convenient. Everything from financial transactions, chats, and releasing public software should be easy with a PKI. It's just not working yet.
If I may use this as a way to publicly suggest some features that I would love to see:
- Client should support looking at my existing trust.db. I already have a number of signatures I collected pre-keybase, and I have verified a bunch of identities. I'd like to use these, and in fact be able to tell keybase.io that I have more than just social web proof that these are who they say they are.
- Ability to use email addresses instead of just keybase names when referring to users.
- Autocomplete when typing handles/emails on the client's command line. Using the Node client currently without this feature.
- When I tried to encrypt a file using keybase recently, it gave me an obscure error (#100) instead of telling me that I was logged out.
- encrypt should not silently create a new file by default. It should not overwrite an existing file either. Do `keybase encrypt [email protected] foo.txt` twice, and have foo.txt.acs overwritten the second time. Instead by default it should output to stdout, and let you specify a file as an optional argument.
- Lastly, and this is way outside the scope of what keybase currently does, I'd love a built-in tool for exchanging encrypted files. Currently, I use chunk.io + curl + gpg to do this:
Thanks so much for the great work you are doing!
- Client should support looking at my existing trust.db. I already have a number of signatures I collected pre-keybase, and I have verified a bunch of identities. I'd like to use these, and in fact be able to tell keybase.io that I have more than just social web proof that these are who they say they are.
- Ability to use email addresses instead of just keybase names when referring to users.
- Autocomplete when typing handles/emails on the client's command line. Using the Node client currently without this feature.
- When I tried to encrypt a file using keybase recently, it gave me an obscure error (#100) instead of telling me that I was logged out.
- encrypt should not silently create a new file by default. It should not overwrite an existing file either. Do `keybase encrypt [email protected] foo.txt` twice, and have foo.txt.acs overwritten the second time. Instead by default it should output to stdout, and let you specify a file as an optional argument.
- Lastly, and this is way outside the scope of what keybase currently does, I'd love a built-in tool for exchanging encrypted files. Currently, I use chunk.io + curl + gpg to do this:
function send-encrypted() {
gpg -o - -aer "$2" "$1" | curl -T - http://chunk.io
}
I am not suggesting that you guys host any type of file sharing tool, but perhaps integration with a service like chunk.io or similar would be nice. Otherwise, the process of sharing a secret (say a file with API keys, etc.) with a co-worker is to encrypt the file, then email it, which is annoying.Thanks so much for the great work you are doing!
Thanks for the great work!
I think keybase.io will be an important part of solving public key cryptography usability, given that more of my friends are on keybase.io than there were ever on the PGP keyservers.
I think keybase.io will be an important part of solving public key cryptography usability, given that more of my friends are on keybase.io than there were ever on the PGP keyservers.
Is your Go client released yet? I would love to try the cli but wasn't stoked about needing to compile node on my laptop just to try the cli.
I would love an invite. Please help
I'd like to give it a spin, if you haven't run out yet. Contact info on my profile.
EDIT: Received and accepted. Thanks!
EDIT: Received and accepted. Thanks!
My thoughts are that with the implementation of data retention laws in Australia the ultra paranoid arena of PGP is becoming of greater relevance to the average citizen and so a simple, easily implemented, non-centralised, publicly identifiable crypto for everyday comms may become not only viable, but sought after - http://blog.lrdesign.com/2014/03/thoughts-on-keybase-io/
I will invite people to lobste.rs. Because of their rules (you misbehave, I have to bear the consequences) I will not just invite anyone, but only people I can find on the net and can be reasonable sure are not assholes.
So write me a mail with some information about yourself (have a look at my profile for the address) and if you don't look like a total dick I'll send you an invite.
I do have three keybase.io invites as well.
So write me a mail with some information about yourself (have a look at my profile for the address) and if you don't look like a total dick I'll send you an invite.
I do have three keybase.io invites as well.
What is your email? I'm not seeing it on your profile.
Sorry, looks like it isn't public.
[email protected]
How can a web service encrypt your plaintext unless they have your private key?
Edit: ah you up an encrypted private key. I guess it gets decrypted live in your browser, without touching their network, if you trust keybase.io's JS. Whether you do indeed trust keybase IO's JS (it's OSS, yaay, is your browser running exactly what's on GitHub though?) is another matter.
Edit: ah you up an encrypted private key. I guess it gets decrypted live in your browser, without touching their network, if you trust keybase.io's JS. Whether you do indeed trust keybase IO's JS (it's OSS, yaay, is your browser running exactly what's on GitHub though?) is another matter.
You don't have to give them your private key -- it's just for convenience, if you happen to trust Keybase.
You don't have to run it in the browser, either; you can just install the command-line tool via NPM and know exactly what code you're running.
You don't have to run it in the browser, either; you can just install the command-line tool via NPM and know exactly what code you're running.
Previous discussions about keybase.io: https://hn.algolia.com/?query=keybase&sort=byPopularity&pref...
This is from 2014 and should be marked as such.
I have 8 invites to give out for those that want it!
Been on Keybase for a while and love it. Used it with a few coworkers.
Been on Keybase for a while and love it. Used it with a few coworkers.
I'm interested in chat client capacity implemented on top of something like keybase.io. Anyone?
I remember reading somewhere that PGP is not suited for realtime web chats. Can't explain precisely why or cite sources, though.
It's because asymmetric cryptography is very inefficient, so most protocols just use asymmetric public/private keys to send a symmetric key (AES, etc) to the recipient, so further communications can happen over the much more efficient symmetric keys.
That and PGP, AFAIK, also doesn't really do perfect forward secrecy. If you get the private key, you can decrypt all stored messages.
That said, you provide the answer: use PGP's asymmetric encryption to establish a session key, then use that to communicate.
That said, you provide the answer: use PGP's asymmetric encryption to establish a session key, then use that to communicate.
That's actually how PGP works too - it generates a random symmetric key, encrypts the message with it, then encrypts that key with the recipient's public key and both message and encrypted symmetric key are sent.
http://en.m.wikipedia.org/wiki/Pretty_Good_Privacy#/media/Fi...
http://en.m.wikipedia.org/wiki/Pretty_Good_Privacy#/media/Fi...
Have some invites as well, shoot me an email if you want some.
Late to the story, but I have 8 invites if anyone wants them.
I'd be really grateful for one if you still have any up for grabs. My email address is in my profile.
Thanks in advance
I have couple of invites. Let me know if I can help someone.
Another one with 8 invites. Send me a mail if you want one.
Just tweeted to you. Interested!
I have a few invites, again asking for a lobste.rs invite.
I have some invites, if someone's interested.
6 invites here. Email in profile.
9 invites available
If these are still available, could I get one?
ETA: Disregard this post.