Keybase integration with GnuPG?

Glenn Rempe glenn at rempe.us
Sat Sep 10 20:30:31 CEST 2016


>
>
> > Are there any current plans to integrate Keybase.io into GnuPG at some
> > point in the future?
>
> (ObWarning: I am not a GnuPG developer.)
>
> I think this is unlikely to occur.  Werner's spoken out pretty strongly
> against the keybase.io model, which relies heavily on social media outlets
> like Facebook to provide confidence in an identity.  However, few people in
> the privacy community like or trust Facebook, which makes relying on
> something like keybase.io problematic -- it looks too much like GnuPG is
> encouraging the use of a platform (FB) that it's philosophically opposed
> to.
>

I think you are operating under some assumptions about Keybase that are not
entirely accurate. Contrary to what you state, Keybase.io does not support
Facebook as a proof destination.

https://github.com/keybase/keybase-issues/issues/518

I have a pretty complete Keybase profile if you are interested to see the
services they *do* currently support.  Please note that many of these are
not social networking platforms but also domains, DNS records, and Bitcoin
accounts that I control.

https://keybase.io/grempe


> The counterargument is that keybase.io works just fine with several other
> back-ends which are more respecting of privacy -- and if a user wishes to
> trust FB, why should GnuPG refuse to honor that user's choice?


True. Keybase supports a number of ways to hosts proofs currently. I
imagine they will add more as they mature for those sites that can meet the
requirements for hosting a proof that is public and can only be controlled
by a single user. This not only allows you to find public keys for a
person, but to authenticate that a person who claims to control the account
on site A is provably the same person who claims to control an account on
site B or a certain GPG key.

You can also host proofs on your own domain as a static signed file or as a
DNS record. Here is an example where I demonstrate that I control my
personal website:

https://www.rempe.us/keybase.txt

You can learn a bit more about this here:

https://keybase.io/docs/server_security/following

Please also note that for most of the last year Keybase is in the midst of
a transition away from using GPG keys as the primary identifier and the
primary way of signing proofs. They have already moved to a model where
NaCl keypairs are used to identify various devices the user controls, and
then the user can sign proofs on various services with those NaCl keys. You
can still add one, or more, GPG keys into this mix.

https://keybase.io/blog/keybase-new-key-model

Keybase is creating a form of the Web of Trust, but it does not rely on, or
even require at all, GPG keys or the use of social networking services.
Facebook is not supported at all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160910/b537ae07/attachment.html>


More information about the Gnupg-users mailing list