Follow

what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

keybase is a website that allows you to prove that a given account or website is owned by you. to explain how this works, we'll need to briefly cover public key cryptography.

there are many ways to encrypt a file. one such way involves using a password to encrypt the file, which can then be decrypted using the same password. this is known as a symmetrical method, because the way it's encrypted is the same as the way it's decrypted - using a password. the underlying methods of encryption and decryption may be different, but the password remains the same. how these algorithms work is outside the scope of this post - i might make a future post about encryption.

public key encryption is asymmetrical. this means the way you encrypt it is different from the way you decrypt it. a password protected file can be opened by anyone who knows the password, but a file encrypted using this method can only be decrypted by the person you're sending it to (unless their private key has been stolen). if you encrypt a file using someone's public key, the only way to decrypt it is with their private key. since i'm the only one with access to my private key, i'm the only person who can decrypt any files that are encrypted using my public key.

my private key can also be used to "sign" a file or message to prove that i said it. anyone can verify that i was the one who signed it by using my public key. comparing the signature to any other public key won't return a match, and changing even one letter of the text will mean that the signature no longer works.

as the signing process can be used to guarantee that i said something, this means that i can use it to prove that i own, say, a particular facebook account. i could make a post saying "this is lynne" with my signature attached, and anyone could verify it using my public key. this is where keybase comes in.

the process of signing a post is rather technical, and everyone who wants to verify it will need to know where to get your public key. there are "keyservers" that contain people's public keys, but the average person won't know that, or what the long, jumbled mess of characters at the end of a message even means. keybase does this for you. after you create an account, it generates a public and private key for you to use. you don't even need to access these, it's all managed automatically. you can then verify that you own a given twitter, reddit, mastodon, etc. account by following the steps they provide to you. you just need to make a single post, which keybase will check for, compare against your public key, verify that it's you, and add to your profile. users can also download your public key and verify it themselves.

support for mastodon was only added recently and isn't quite complete yet, but it's ready to use and works well. this is why you might have noticed a lot of people talking about it recently. support for keybase is new in mastodon 2.8.

keybase can also be used to prove that you own a given website, again by making a public, signed statement. i've proven that i own lynnesbian.space with a statement here: lynnesbian.space/keybase.txt

it also provides a UI to more easily verify someone's signed message, without having to find and download their public key yourself.

keybase is built on existing and tested standards and technologies, and everything that it does can also be done yourself by hand. it just exists to make this kind of thing more accessible to the general public.

i've proven my ownership of this mastodon account (@lynnesbian), and you can verify that by checking my keybase page: keybase.io/lynnesbian/

keybase also offers encrypted chat and file storage, but it's main feature is that you can easily verify and confirm that you are who you say you are. so if you see a website claiming to be owned by me, and you don't see it in my keybase profile, you should be suspicious!

finally, this post itself is digitally signed by me! you probably noticed that weird "begin signed message" thing at the top! you can verify that it's me simply by pasting the whole post, top to bottom, including the weird bits at the start and end, but *not* including the content warning, into this page here: keybase.io/verify
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.1.0
Comment: keybase.io/crypto

wsFcBAABCgAGBQJctrWtAAoJEPt7lwMDrOSZtrAP/0lV+51YF24TDOO5vJx43cq5
kBkIV61/JqRMTaT7+6O+H/0YBmXyF4RYITyKZ88wYyZD5mTnRLLGk/5BqGuDOdAd
wyKvkEUcBmO0kAr2p8w8LKsNVV/fpyXdBgcPqu7QXwGJiimJg39n0/A36NL1az2A
v11uYdLOUQ1t3Eh+pRryRQP8jMc2PEVIjBaQ5bAZ/BDbQzzmB+4tpdKEKHd92UVp
lclDR1j29d9hs0bSZ+yCZQCkAkuUIfbUag8ic+a27aqaWAm+gprT2JxG4BUz9aoJ
W5BnVZdh6egFkn1aTVhowXtGxzhbWKuRjNQl13zLw4czzXRncIrNQ/DkUGXfYhqk
Q89dlFZG6R4wWiM4nsnaxySaQVjmzt37nG58iYhkas3bTKXx9WZ1/pQb/ufk+ic5
P+abGZDB4NXK0nwh5Ap0W9Br82WelYdeVlpx0uoTMp9WWtouwGk3XLYDKV5SvUrF
Xkr5DkdfBcaJLJdj0EcXKBJfPfoKqKLPX2FdTBvA0TEn7Lxq/FxvfvWk5HLh9Xlp
rtHoFDL5Fq4Wz2omaR0Tpo51AfRpi0CHdaM+tL1uvqebb75MEMZhALyZVt6CmxBb
vVU+kXxSfGGbOTLDk8kpkmc6DJCNGnrn8k/qgDkETCDpAFOZK6c5k9XHrhMc5kp7
W2oysh2U+BtsNcRNA2+A
=23Bq
-----END PGP SIGNATURE-----

i should probably clarify that this isn't really meant to explain why you'd use keybase, just how it functions :blobbun:

Show thread

re: what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@lynnesbian

gpg: Signature made Wed 17 Apr 2019 12:12:13 AM CDT
gpg: using RSA key FB7B970303ACE499
gpg: Good signature from "Lynne [redacted] (GPG key for GitHub etc) <[redacted]@gmail.com>" [ultimate]

@lynnesbian by the way, you *can* include the content warning - it's just outside of the part you've digitally signed.

re: what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@ben @lynnesbian
good test, and from what i read, correct.
the other side of the coin is:
keybase is vc funded with shitty terms conditions and privacy statements.
you have been pwned. metadata captured, eventually sold to the highest bidder.

re: what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@VeintePesos @lynnesbian I did *not* use keybase to generate the message you're replying to. I used gnupg, which talks to a federated network of keyservers.

re: what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@ben @lynnesbian
i have gpg on all my boxes as well, what about lynn?

re: what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@VeintePesos @lynnesbian considering the key was generated on 2018-08-13 and lynne signed up for keybase on 2018-09-21, I'd say she had gpg installed at some point

plus, if she has *Linux* on her computer, she probably has gpg.

re: what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@ben @lynnesbian
so some will use keybase with pgp and others gpg and grab the keys manually from a keyserver?

what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@lynnesbian I'm really, really looking forward to them adding first-party Masto support, I really like how much more accessible Keybase makes public key crypto, have gotten people using it who would otherwise never be able to figure out gnupg.

As a dumbass 

@lynnesbian

I don't understand what this is meant to solve.

@Roxxie_Riot it's basically a way to guarantee that you are who you say you are, and the websites/accounts you own are truly yours (and that fake ones aren't)

@lynnesbian

I don't understand what use I'd have for that? I don't think anyone is clamoring to impersonate me, but neat. I guess.

@Roxxie_Riot it's certainly not needed for everyone! it's really more of an optional thing that's there if you want it.

@lynnesbian @Roxxie_Riot Essentially, a more open & versatile version of Twitter's Verified blue checkmarks.

re: As a dumbass 

@Roxxie_Riot @lynnesbian It uses gpg, which solves a good few major problems - those of confidentiality and integrity:

Confidentiality: I can create a message and ensure that only, say, Lynne can read it by encrypting the message with her public key. She can then decrypt it with her private key. She can then send a message back and encrypt it with my public key, and I can decrypt it with my private key. Given our private keys haven't been stolen by anyone, if anyone else other than the intended recipients try to read the communication, all they'll get is gobblygook.

Integrity: I can sign a message with my private key, and anyone can verify that the message they received is the one I signed by using my public key. If the message changes at all, this fails.



Using this sort of technology, Keybase then uses it to sign different statements on different websites to verify that an account on x website and an account on their website are owned by the same person. You can also use Keybase to sign and encrypt/decrypt/sign messages if you like, much like Lynne did in her original post (however I myself admittedly prefer using my own local gpg install for that purpose.)

correction to my response 

Correction on this statement: apparently Keybase doesn’t use GPG - it, instead, uses NaCl keys . You can use GPG keys in keybase to encrypt/decrypt/sign messages, though.

@lynnesbian While I like keybase, and what that team is trying to do, I have two things that really keep me from embracing it anymore. First is that the server-side software is not libre or self-hostable, kind of a bummer. Second is that their terms of service includes a binding arbitration clause that you cannot opt-out of. I think that is generally a pretty skeevy move for any company
Sign in to participate in the conversation
Lynnestodon

@lynnesbian@fedi.lynnesbian.space's anti-chud pro-skub instance for funtimes