Thoughts on Keybase
Robert J. Hansen
rjh at sixdemonbag.org
Mon Dec 15 19:40:22 CET 2014
Keybase (https://keybase.io) is trying to solve the Web of Trust problem
in a new way. They're currently in beta, but I was able to snag an
invitation. (I have no invites to give out, unfortunately.) The
following is just a write-up on how it works and what my impressions of
it are. You may find it interesting. You may not. :)
=====
1. SO WHAT'S THE PROBLEM WITH THE WoT?
In a nutshell, "everything." In my own experience, the Web of Trust
goes pretty much completely unused. There are several reasons for this.
The first is that trust is intransitive: if Alice trusts Bob and Bob
trusts Charlene, it doesn't necessarily follow that Alice trusts
Charlene. (I like to imagine that Alice and Charlene were competing for
Bob's affections once upon a time, and that Alice still wishes Bob
wouldn't trust that hussy.[1])
The dream of the Web of Trust is that trust chains would form and Alice
would be able to trust Charlene's certificate as well as Doug's and
Elaine's and all the way on through to Xavier, Yvonne and Zenobia.
Unfortunately, it doesn't work that way. If Alice trusts Bob, that
means Alice has to trust all those people trusted by Bob... or even all
those people trusted by all those people trusted by Bob... or even all
those people trusted by all those people trusted by all those people
trusted by Bob. It gets impractical really fast.
In twenty years of using PGP and GnuPG, I've relied on the Web of Trust
a total of something like six times. It was a neat idea, but as far as
general rollout goes it's been a dismal failure.
2. OKAY, SO YOU CONFIRM EVERYTHING VIA VOICE.
Voice doesn't give us much confidence in identity. Voice allows us to
do out-of-band verification [2], but it doesn't let us confirm identity.
Most people think identity is something that gets proven by documents,
but identity is actually a lot more nebulous than that. I normally
require two forms of government-issued identity documents before I'll
sign a certificate, but I haven't seen two government-issued identity
documents from my own mother. That doesn't mean I think she's not my
mother. It means I've somewhere along the line done an identity
verification that has nothing to do with documents.
3. SO WHAT'S IDENTITY, ANYWAY?
In a phrase, identity is the name we give to continuity of agency over
time. Knowing who's responsible for something right here, now, in this
moment, is all well-and-good, but it's also kind of trivial: "the person
standing there with a smoking gun is the one who's responsible for the
body on the floor." Doesn't tell you very much, really. But knowing
that person is also "the person who bought a bagel at a delicatessen
yesterday" and "the person who's driven a Peugeot to work every day for
the last three years" and "the person who for the last several years has
lived at this address" all builds up to give us a sense of *what choices
this person has made* (agency) and *over what time frame these choices
have been made* (time).
Once we have a concept of agency over time, that by itself is an
identity. A legal name specifies an agent, but not an identity.
Identity requires history. A track record. A paper trail, as it were.
4. SO WHAT'S THE RELEVANCE TO KEYBASE?
Keybase has given up on the Web of Trust and on using official
government records to prove who people are. Instead, proofs are
established by *what you've done* (agency) and *for how long you've been
able to do it* (time).
For instance, visit this website:
https://keybase.io/rjh
You'll see a list of several "what I can do"s. Key 0xD6B98E10 has been
used to sign a tweet containing an assertion of identity: "I am Rob
Hansen, robertjhansen on Twitter." Thereby, key 0xD6B98E10 has been
bound to my Twitter social-media identity [3]. You can pull this tweet
down from Twitter's own servers and verify the statement yourself; you
don't have to take keybase's word for it. (In fact, you probably
*should* verify it for yourself.)
Likewise, I've made similar statements of identity for my GitHub account
and for a couple of web pages I run. These disparate activities
comprise a record of things I have done (agency) over a time period
(time), which is ... identity.
5. BUT YOU'RE NOT REALLY PROVING ANYTHING!
It would be pretty foolish to think my legal name was Rob Hansen based
solely on keybase, yes. Keybase makes no assertion that someone is
correctly representing their legal name. But how many of us really care
about that? The more common use case seems to be that we want to know
we're not being catfished [4]. I could be named Maurice Micklewhite and
it wouldn't change the fact that I control that Twitter account, that
GitHub account, or those webpages. If the fraction of my identity that
you care about maps well to that realm, then keybase is a pretty
effective way to verify that fraction.
6. FRACTIONS OF AN IDENTITY?
Sure. People on this list know a completely different me than my
parents do. You're the only one who knows the fullness of the choices
you've made over the course of your life: you're the only one who knows
who you truly are when the chips are down. The rest of us only ever get
to see a fraction of the true identity.
7. SO DO YOU SEE KEYBASE MAKING A BIG DIFFERENCE?
Given how miserable the WoT's adoption rate is, any improvement will be
a big difference. In its present form I don't see it as making a big
difference to the world at large, though. Right now keybase allows you
to certify your Twitter, GitHub, Reddit, CoinBase, and Hacker News
identities, as well as BitCoin addresses and any web pages you control.
For the geek cognoscenti that's great, but for the world at large it's
not going to matter half a damn until and unless keybase gets either
Google+ or Facebook on board.
8. CLOSING THOUGHTS
It's a cool idea and worth looking into. https://keybase.io. :)
[1] Americanism: "an impudent or immoral woman." Generally considered
rude, but not profane.
[2] Kind-of sort-of: most phone traffic nowadays flows over the network,
so it's actually in-band.
[3] I rarely if ever use Twitter. If you're a Twitter fiend feel free
to follow me, but don't expect much.
[4] Americanism: "identity deception."
More information about the Gnupg-users
mailing list