On 02/25/16 01:58, Paul Syverson wrote: > On Thu, Feb 25, 2016 at 12:26:02AM +0100, Guido Witmond wrote: >> >> I don't want *people* to exchange keys. I envision people to exchange >> names and let computers do the key lookup. >> > > The description below sounds a fair amount like Keybase (https://keybase.io) > Perhaps it would be helpful to contrast your goals with theirs? Hi Paul, All from cursory reading: Both Keybase.io and Eccentric Authentication share the same goal: Crypto for everyone! But there are differences: 1. Technology - Keybase uses PGP, Eccentric uses X509; - Keybase uses the Bitcoin blockchain as trust anchor, Eccentric uses DNSSEC and a separate verification service like Certificate Transparency. 2. Model - Keybase has a person centric key model: Even though people can have multiple private keys, these are connected. Each user has 1 identity. That means, every message sent is attributed to the person. In this model, each of the actions strengthens the faith in the relation between the key and the identity. - Eccentric uses a key model where each user has many keys: Each of those keys is an identity, tied to the site that signed it. Keys cannot be shared between sites. This prevents linking of identities unless the person reveals it. Or if cookies betray him. In Eccentric, people are advised to use a throwaway identity whenever a site requires an identity. In Keybase, it's much harder to remain anonymous as I expect sites to encourage linking your account to your identity. 3. Central / Dispersed Keybase uses a central repository for all key/identity announcements. This makes them a single high value target. Eccentric uses a single CA per site. There is no central repository. The risks of compromise are spread out. With some proper use of subkeys, the scary part of key management can be outsourced to a service provider. 4. User Security Keybase provides confidentiality of the message contents but as it uses existing email transport, neglects meta data protection, in fact it gives up meta data protection to gain stronger ties between usernames, keys and identity. Eccentric offers much stronger protection of meta data and equals protection of message confidentiality. With Eccentric it's harder to assure a certain key belongs to an author of a publication. There's probably a ton more. If I made any mischaracterisations of Keybase, please enlighten and forgive me. With regards, Guido Witmond.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk