@TheFuzzStone glad I'm not using either #zoom or #keybase
@yarmo, As I provide escrow services for the Russian/Ukrainian part of the #crypto community, there are many scammers who pretend to be me in order to steal money from people, so I always encourage everyone to request a #PGP signature for some message to make sure it's me. 99.999% of people don't want to deal with PGP, install additional software, import my PGP key, etc.
In this case people need only to copy-paste my signed message here and press "Verify" button:
@TheFuzzStone can we not put a verify button on our own website? Or would that be not trustworthy? I understand the advantage of keybase being easy for verification. But pgp existed before keybase, surely there must be other ways to achieve what they did.
There certainly is OpenPGP.js so all that can be now done fully client-side, the problem is web-of-trust. If you aren't 100% sure the page is genuine and the PGP key used to verify is genuine, you can't be really sure. This is very complex problem if you consider all real-world factors, so not only technical but also usability and human factor...
@kravietz @TheFuzzStone we need web-of-trust…
Does it hold up now? If I make a "thefizzstone" account on both keybase and github pages plus make my own pgp keypair, the sytem is once again defeated (unless I'm missing something). The message will be verified perfectly, except for the wrong key and account…
I think web-of-trust is the answer. But then again, make a whole bunch of websites which all agree "thefizzstone" is the real one and…
Am I missing something?
I guess the technical challenge for the attacker here would be to recreate the social graph on Keybase. Everyone follows everyone there, so effectively you have a centralized web-of-trust. Not sure how this differs in the user interface though, so whether a message signed by the real thefizzstone (many followers) would be marked differently from message signed by theflzzstone :)
@yarmo, They have a pretty good thing - you lose a device and you don't have a "paper" private key to your account (or access from other linked devices) - your account will stay dead forever. You can't reset your password. (see the screenshot)
You can do it - go at keybase.io, select 'login', and then 'forgot password', and then enter my nickname which is 'thefuzzst0ne'.
@TheFuzzStone keybase's account management system is extremely tight and I like that about it. I could never use your specific account to fool anyone. But it's just an account. You can't stop me from making a different 'thefuzst0ne' account, giving it my own private key and going around proclaiming this account is real.
I have yarmo.eu. One could register yarmo.net and say that officially belongs to my being. I couldn't do anything about it.
Everything we do online is repeatable
@yarmo, Yeah, you're right, I can't stop you from pretending to be me, creating a legitimate account at Keybase ('thefuzst0ne'), stealing my avatar, etc. - it's all aimed at careless people.
@kravietz @TheFuzzStone the social graph is the one big advantage that keybase has. But does one actually use it to verify? Or, why not make ten accounts which all verify each other, make your own little social network?
Obviously, there's no true solution. For every advantage, there's a counter "but what if you do X". I need to think more about this