lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 Jun 2014 22:37:05 +0200 From: Robert Dannhauer <r.dannhauer@...glemail.com> To: Rikairchy <blakcshadow@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] keybase.io Thanks to Rikairchy I was able to take a look. They are saying: "For safety, the Keybase servers never see your passphrase, even during login, and therefore cannot decrypt your private key. " The only question: Can this be trusted? Can we make sure they don't know the passphrase? Even though this looks like a nice service. PS: Thanks Rikairchy :) On Fri, Jun 20, 2014 at 10:22 PM, Rikairchy <blakcshadow@...il.com> wrote: > I have a few questions regarding this website. > > For those of you unfamiliar with it, (to my knowledge) a GPG > keyserver, website, and client for easy upload. The client supports > signing, encrypting, and verifying messages as does the website. There > is also an option to "track" users, verifying who they are in a way. > In short, public tracking and awareness of identities. > > There are also ways to verify github account, twitter account, and > website ownership on keybase. > > There is an option to create as well as upload your private key. I'm > very new to this type of encryption, having only worked with > Truecrypt, SSH, and Bitloccker prior, but I was under the impression > that the private key was the last thing you should part with. Why > would a website focused on providing security allow users to upload > their private keys? > > As mentioned, there are github, twitter, and website ownership > verification options, tied to your GPG public key. This does no more > than verifies that someone that has access to @username on twitter and > example.net (which are both listed on a user's keybase.io profile) are > controlled by the same person, but not the identity of said person, > correct? > > I also have keybase.io invites if this interests anyone. > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists