←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 2 comments | 13 Nov 21 09:13 UTC | HN request time: 0s | source
Show context
exabrial ◴[13 Nov 21 18:54 UTC] No.29212231[source]
Great idea: easy key distribution and management. Like most p2p ideas, PGP also sucked at this.

Terrifying idea: trusting a third party to maintain the metadata about a key and who's identity it represents.

PGP absolutely got this part right: if you modify the contents of the metadata, the hash changes. Basically, if a private key were to point to Myself, and I distributed it widely, then lost it... an attacker who recovered said key could _transparently_ change the identity of the key and we'd have no record of who was actually correct. And lets not pretend that a government couldn't coerce Github to add an ssh identity to your account (it is owned by Microsoft now, and they have DOD contracts to fulfill).

Keybase solved both these issues: easy and intuitive, transparent proofs, along with the rigidity of metadata with pgp keys: if a key owner changes, the pgp key mutates.

replies(3): >>29212315 #>>29212532 #>>29212620 #
1. Gargyle ◴[13 Nov 21 19:32 UTC] No.29212532[source]
Are there resources on the impact of Keybase being bought by Zoom? Zoom is out of question too because they discourage e2e and darkpattern you into installing their software despite browser compatibility and because they darkpattern you into giving cam/mic access just to listen to a broadcast-only session even if unnecessary. They place their own controlled device toggles as source of truth instead of those by the browser UI and fail in weird ways if you toggle in-browser. (Same for almost all other similar software as well)

I tossed them without a second thought after they annoyed me with Stellar. Nobody uses Stellar if they dont have a hidden incentive. It always had a huge forced marketing vibe.

Is there some sucessor to keybase?

(Motivation disclaimer: I want to dump on Keybase because in the end, even with flawless crypto at first, those organizations always erode the good things down to centralized with platform control again.)

replies(1): >>29213284 #
2. Reitet00 ◴[13 Nov 21 21:22 UTC] No.29213284[source]
> Is there some sucessor to keybase?

Depends on the use case. E.g. for raw identity proofs https://keyoxide.org works well but it's not as straightforward to use as Keybase.