Keybase and PGP

Recently, a new service called Keybase was launched by a
couple of the co-founders of OKCupid. I recently got an invite to the service
(even though I only vaguely knew what it did) and so I decided to look into it.

In essence, Kaybase is a service built around PGP. PGP (Pretty Good
Privacy) is a very old piece of cryptography software that allows a user to
create a pair of security keys. One, the private key, is used to create digital
signatures and encryption. The corresponding public key is then used to verify
that the signature was created by the private key. Decryption is a bit more
complicated, but the gist of it is that only the private key of the recipient
can be used to decrypt the message. Traditionally, public keys were exchanged in
person, sometimes at "key signing parties". When you sign someone else's public
key, you are basically stating, "If you trust that I am who I say I am, you can
trust that this person is who they say they are." This was one of the reasons
for exchanging keys in person, since identity was easier to verify. PGP operates
operates on a "Web of Trust" model. Aside from keys that you have signed
personally, you can designate which other keys you might trust. For example, you
could say that keys that are signed by people whose keys you have signed are
trusted, or you could say that if three people whose keys you have not signed,
but trust (as in the first example), have signed a key that you trust that key.

Now, most people do not actually use PGP, they use an open source implementation
called GNU Privacy Guard (GPG). The problem with GPG is that it is a
command line utility. There are programs that let you use a graphical front end
for it or integrate it with your email client, but by and large, most people
will not be able to use it. Keybase aims to simplify that as well as add on to
it. With Keybase, you can associate your social media accounts with a certain
public key. In this way, if you trust someone's github or twitter account, you
can also trust their public key and sign it, without the need to see them in
person. Keybase also provides both online and command line key management and
other related features (key signing, message siging, encryption, etc.).

Of course, there are a number of concerns with it. You have the option of
storing your private key on their servers, which raises some security concerns.
How secure is the private key? If it is generated in a web browser, how do you
know that you can trust the web broswer? How can I trust the public key if the
veracity of the private key is questionable? These are all things that will need
to be answered before the service is used in earnest.

For more reading about Keybase, check out the Hacker News Thread or This post
about its security concerns

Show Comments