Trying out

I’ve joined Keybase this week: This is a new service which hosts a directory of public keys together with a verifiable list of usernames.

Keybase uses Pretty Good Privacy (PGP) keys and encryption to create the identity proofs. For example, on the Keybase site you can see I control this domain. Keybase has a link to a file posted on this domain which contains a message about owning this domain and a signature of that message. For other services they do something similar.

With GitHub you post a gist which contains the same as the web proof.

For Twitter it is slightly harder since the proof does not fit in a single tweet. They solve this by using a hyperlink to the proof with a small part of the hash of that signed proof embedded in the tweet.

The good thing about the above proofs is that they stay public and independently verifiable. So everyone can see that these usernames are linked to me. This can more easily be checked by their excellent command line utilities keybase. For example you can use that to check my identity using keybase id jeroenh, the utility will then go out and fetch those proofs and check them and display the results.

The service also allows the user to store the private key protected with a password in the cloud. Using node.js and scrypt this implements the crypto for signing and encrypting locally on the users browser. I don’t believe that this is really a safe option, but it is a good possibility for less experienced users.

On the other hand, the service does a good job of making PGP much more accessible. The website and especially the cli are very easy to use. The site also adds another way of verification to the web of trust.

Using the service I became aware that my keys currently were not optimal. I was using a main key of 1024 bits and a separate key for this blog. I am retiring the (old) main key and combined everything into a single key now, for which I’ve hosted the public key here and also on keybase: Fingerprint=3C66 EA26 CD67 DE67 AE62 6345 DFE4 3DEC 6755 33EF.