Thoughts on Keybase

Melvin Carvalho melvincarvalho at
Sat Jan 3 06:52:31 CET 2015

On 15 December 2014 at 19:40, Robert J. Hansen <rjh at> wrote:

> Keybase ( is trying to solve the Web of Trust problem
> in a new way.  They're currently in beta, but I was able to snag an
> invitation.  (I have no invites to give out, unfortunately.)  The following
> is just a write-up on how it works and what my impressions of it are.  You
> may find it interesting.  You may not.  :)
> =====
> In a nutshell, "everything."  In my own experience, the Web of Trust goes
> pretty much completely unused.  There are several reasons for this.  The
> first is that trust is intransitive: if Alice trusts Bob and Bob trusts
> Charlene, it doesn't necessarily follow that Alice trusts Charlene.  (I
> like to imagine that Alice and Charlene were competing for Bob's affections
> once upon a time, and that Alice still wishes Bob wouldn't trust that
> hussy.[1])
> The dream of the Web of Trust is that trust chains would form and Alice
> would be able to trust Charlene's certificate as well as Doug's and
> Elaine's and all the way on through to Xavier, Yvonne and Zenobia.
> Unfortunately, it doesn't work that way.  If Alice trusts Bob, that means
> Alice has to trust all those people trusted by Bob... or even all those
> people trusted by all those people trusted by Bob... or even all those
> people trusted by all those people trusted by all those people trusted by
> Bob.  It gets impractical really fast.
> In twenty years of using PGP and GnuPG, I've relied on the Web of Trust a
> total of something like six times.  It was a neat idea, but as far as
> general rollout goes it's been a dismal failure.
> Voice doesn't give us much confidence in identity.  Voice allows us to do
> out-of-band verification [2], but it doesn't let us confirm identity.  Most
> people think identity is something that gets proven by documents, but
> identity is actually a lot more nebulous than that.  I normally require two
> forms of government-issued identity documents before I'll sign a
> certificate, but I haven't seen two government-issued identity documents
> from my own mother.  That doesn't mean I think she's not my mother.  It
> means I've somewhere along the line done an identity verification that has
> nothing to do with documents.
> In a phrase, identity is the name we give to continuity of agency over
> time.  Knowing who's responsible for something right here, now, in this
> moment, is all well-and-good, but it's also kind of trivial: "the person
> standing there with a smoking gun is the one who's responsible for the body
> on the floor."  Doesn't tell you very much, really.  But knowing that
> person is also "the person who bought a bagel at a delicatessen yesterday"
> and "the person who's driven a Peugeot to work every day for the last three
> years" and "the person who for the last several years has lived at this
> address" all builds up to give us a sense of *what choices this person has
> made* (agency) and *over what time frame these choices have been made*
> (time).
> Once we have a concept of agency over time, that by itself is an
> identity.  A legal name specifies an agent, but not an identity. Identity
> requires history.  A track record.  A paper trail, as it were.

>From my experience, when you ask 10 people 'what is identity', you get 10
different answers.  A better question might be, "How do you name things
(e.g. people)". If different parties name things in a similar way there's
an order of magnitude more chance of growing the network.  Keybase has a
proprietary, centralized naming strategy largely incompatible with the
architecture of the web.  If that sounds like a criticism, it isnt.
Because almost everyone else does the same thing.  Hence identity systems
are balkanized.

Where I think keybase shines is with convenience and utility.  Such systems
have chances of organic growth.  But people tend to over estimate the
chances of making it to millions of users, which is what keybase possibly
needs to change the landscape.

We need a web of trust that's universal (the only way I know to do this is
to use URIs for naming), so that it can span many systems and grow the
network effect.

> Keybase has given up on the Web of Trust and on using official government
> records to prove who people are.  Instead, proofs are established by *what
> you've done* (agency) and *for how long you've been able to do it* (time).
> For instance, visit this website:

In awww this is a document, we like to put data inside documents.  Then you
can make statements about both things.  I may like Ricky Martin's home page
but may not like Ricky Martin.

Id suggest having an anchor inside such as #me or #this, then tie key value
pairs to it.  It turns out that anchors are very hard to grok on the web
for most people, though.

Using anchors also allows multiple data structures on the page.  One for
the user, one for the key, one for anything else you'd like to add.

> You'll see a list of several "what I can do"s.  Key 0xD6B98E10 has been
> used to sign a tweet containing an assertion of identity: "I am Rob Hansen,
> robertjhansen on Twitter."  Thereby, key 0xD6B98E10 has been bound to my
> Twitter social-media identity [3].  You can pull this tweet down from
> Twitter's own servers and verify the statement yourself; you don't have to
> take keybase's word for it.  (In fact, you probably *should* verify it for
> yourself.)
> Likewise, I've made similar statements of identity for my GitHub account
> and for a couple of web pages I run.  These disparate activities comprise a
> record of things I have done (agency) over a time period (time), which is
> ... identity.
> It would be pretty foolish to think my legal name was Rob Hansen based
> solely on keybase, yes.  Keybase makes no assertion that someone is
> correctly representing their legal name.  But how many of us really care
> about that?  The more common use case seems to be that we want to know
> we're not being catfished [4].  I could be named Maurice Micklewhite and it
> wouldn't change the fact that I control that Twitter account, that GitHub
> account, or those webpages.  If the fraction of my identity that you care
> about maps well to that realm, then keybase is a pretty effective way to
> verify that fraction.
> Sure.  People on this list know a completely different me than my parents
> do.  You're the only one who knows the fullness of the choices you've made
> over the course of your life: you're the only one who knows who you truly
> are when the chips are down.  The rest of us only ever get to see a
> fraction of the true identity.
> Given how miserable the WoT's adoption rate is, any improvement will be a
> big difference.  In its present form I don't see it as making a big
> difference to the world at large, though.  Right now keybase allows you to
> certify your Twitter, GitHub, Reddit, CoinBase, and Hacker News identities,
> as well as BitCoin addresses and any web pages you control.  For the geek
> cognoscenti that's great, but for the world at large it's not going to
> matter half a damn until and unless keybase gets either Google+ or Facebook
> on board.
> It's a cool idea and worth looking into.  :)

yes, but as it's designed hard to get traction

very worth while noting the usability patterns tho

> [1] Americanism: "an impudent or immoral woman."  Generally considered
> rude, but not profane.
> [2] Kind-of sort-of: most phone traffic nowadays flows over the network,
> so it's actually in-band.
> [3] I rarely if ever use Twitter.  If you're a Twitter fiend feel free to
> follow me, but don't expect much.
> [4] Americanism: "identity deception."
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150103/8533d20c/attachment-0001.html>

More information about the Gnupg-users mailing list