lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 23 Jun 2014 15:49:39 +1000
From: Sam Stewart <sam@...ureshredders.com.au>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] keybase.io

Also thanks to Rikairchy, I got an invite.

I opted not to upload my private key, and it's still a pretty useful
service without that.

Github, twitter & bitcoin address, signed by my priv key offline. The
"tracking" feature is probably the easiest implementation of web-of-trust
I've seen.


On 22 June 2014 06:37, Robert Dannhauer <r.dannhauer@...glemail.com> wrote:

> Thanks to Rikairchy I was able to take a look. They are saying:
> "For safety, the Keybase servers never see your passphrase, even during
> login, and therefore cannot decrypt your private key. "
> The only question: Can this be trusted? Can we make sure they don't know
> the passphrase?
> Even though this looks like a nice service.
>
> PS: Thanks Rikairchy :)
>
>
> On Fri, Jun 20, 2014 at 10:22 PM, Rikairchy <blakcshadow@...il.com> wrote:
>
> > I have a few questions regarding this website.
> >
> > For those of you unfamiliar with it, (to my knowledge) a GPG
> > keyserver, website, and client for easy upload. The client supports
> > signing, encrypting, and verifying messages as does the website. There
> > is also an option to "track" users, verifying who they are in a way.
> > In short, public tracking and awareness of identities.
> >
> > There are also ways to verify github account, twitter account, and
> > website ownership on keybase.
> >
> > There is an option to create as well as upload your private key. I'm
> > very new to this type of encryption, having only worked with
> > Truecrypt, SSH, and Bitloccker prior, but I was under the impression
> > that the private key was the last thing you should part with. Why
> > would a website focused on providing security allow users to upload
> > their private keys?
> >
> > As mentioned, there are github, twitter, and website ownership
> > verification options, tied to your GPG public key. This does no more
> > than verifies that someone that has access to @username on twitter and
> > example.net (which are both listed on a user's keybase.io profile) are
> > controlled by the same person, but not the identity of said person,
> > correct?
> >
> > I also have keybase.io invites if this interests anyone.
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>



-- 
Sam Stewart
Secure Shredders Pty Ltd

PO Box 325
Caulfield East
Vic 3145

p   0410 215 021
e:  sam@...ureshredders.com.au
www.secureshredders.com.au

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists