Follow

So @keybase is not going to bother with micro/family instances (e.g. <5 users). Great.

Careful Fediverse, "centralization"-first is coming. Or at least "large-instances-first".

Keybase recommends to use the website verification for those small instances, fine, but this won't support the encrypted messages that were proudly announced 7 paragraphs before.

keybase.io/blog/keybase-proofs

@sheogorath @keybase The IDs one adds to GPG keys are just strings, may as well be URLs of the profiles, not just e-mail addresses. Plus this isn't very difficult to put the fingerprint or link to the .asc in the bio, so everyone interested could just import the key and check the fpr and IDs.

@amiloradovsky Proofing the things is not difficult, but the service keybase provides and that makes it special is not the proof itself, it's the accessibility of it.

You get a link, you get a green checkmark and you get a username. Yes, all of this could be coded by anyone else, it's just that no one does.

Maybe someone with good UX skills will be bored enough to use OpenPGP.js and write one themselves using entirely free software :)

>> You get a link, you get a green checkmark and you get a username.

Yep, totally agreed. People like nice visual cues such as green checkmarks. That’s why Mastodon Link Verification is so attractive too. Without nice UX even the best designs are doomed to oblivion.

@wiktor I wonder if we could make such a tool, completely free and open source with @paul. As far as I know he's great with OpenPGP and it would probably also fit into his FluidKeys project.

Paul, are you interested?

I already have a small plan on how to proceed but I’m currently waiting for right alignment of stars ;-)

I don’t want to spoil the idea publicly before I get all required ACKs from others but if you’re interested do e-mail me (GPG encrypted, of course!).

@sheogorath @wiktor I missed the thread there, what kind of tool are you thinking of?

@paul @wiktor The main idea is to have some kind of tool that can link online identities e.g. GitLab, GitHub, Mastodon, … with GPG keys and provide some way of "proof".

Maybe there is some kind of uid-like field we can use for that in the OpenPGP key which could link to a signed proof or similar.

Basically having something similar to keybase, but without their centralized component and without the whole zoo they build around it (messenger, git repositories, …)

@sheogorath
That would be absolutely amazing. I don't code (yet) but I'd help however else I can 👍
@paul @wiktor

Exactly. I did a proof of concept of something like that along with proof verification: https://github.com/wiktor-k/distributed-ids#distributed-ids

This works in a purely distributed way with OpenPGP and doesn’t require any proprietary tools.

The scheme is inspired by Linked Identities (https://tools.ietf.org/html/draft-vb-openpgp-linked-ids-01) that worked in OpenKeychain for some time.

@sheogorath @keybase that's really an exceptionally weird choice. What's the problem on keybase's side to just support anyone?

@sheogorath @keybase

instances.social lists more than 5,200 Mastodon instances. The vast majority of instances that are "up" has more than 5 users.

Besides, it is more likely that very small instances disappear, or are mostly down.

Sometimes, even medium-sized instances disappear. For example, we were on securitymastod.one before. This instance had more than 2,000 users and was shut down over night without prior notice.

@infosechandbook
@keybase provides websites proofs in general, which are not more or less down than your average mastodon instances. They also disappear from the web and come back and do wild things.

keybase proves aren't that complicated, so at the end of the day, besides formal requirements (which could be automated) there is, from my perspective, no reason to not allow every instance to use it.

If not, maybe the title of the blog post is wrong, as, obviously, it's not for everyone.

@sheogorath @keybase No encrypted messages functionality is in any way tied to Mastodon.

@Gargron @keybase

It's not using Mastodon to exchange the messages, that's right, but it uses the Mastodon identity to address the the participant.

And this means keybase users on small instances won't be able to be addressed that way. It may sounds like a minor problem, but the absence of the proof also prevents you from easily validating that a keybase account is tied to a mastodon account.

Which is definitely negative for users on smaller instances.

@sheogorath @Gargron @keybase

Erm, we have keybase support, and we have 3 (two of which are active) users. Were we just lucky?

@GigaByte4711 @Gargron @keybase

Maybe, I can just quote keybase's own statement:

""sites which feel tiny and spammy. We don't want 10,000 partners with 5 members each; if you run, say, a family or apartment website, you don't need to do this integration. Just prove ownership of the domain in the old Keybase way, putting your family's proofs in yoursite.com/keybase.txt"

Would love it to see things not being that strict.

@sheogorath that restriction was hidden far down in the article. Almost as if they don't want you to read it. Also the teams feature seems like trying to take over the users, by providing them with a way to communicate without needing Mastodon. Anyway, who needs another silo.

@sheogorath @keybase i was gonna say "what if they are just treating this as a beta feature still, give them a chance" til i saw this:

>Like a Mastodon instance, we reserve the right to work with whichever partners we prefer. We specifically will avoid at least these sites

the fact they're arbitrarily choosing instances shows that keybase is deciding to mix technology/crypto/security with politics. cryptoanarchists can definitely see how this is wrong, and i hope others are able to see whats wrong with this approach too: everyone should have the right to these tools. even projects like tor prioritise "security and privacy for all" over their political/legal beliefs, because they know bringing the law into technology is tricky business and doomed to fail

yes, the difference here is that keybase is a service. the takeaway here is to piggyback on the standards keybase is creating, and to build a distributed set of tools atop the standards to reduce our dependency on a central business, and to free ourselves from these arbitrary business decisions. something that everyone can use easily
Sign in to participate in the conversation
Sheogorath's Microblog

This instance is the microblog to my blog. You'll probably find more recent content here while finding more elaborated content on the blog. Impressum / Datenschutz / Privacy