Search by e-mail [API, Feature Request]

[jszym]

Using keybase.io as a great way to check keys before sending emails is an incredible use of the service, but seeing as it's impossible to search by email it's impossible.

Something like the following would work nicely imho: https://keybase.io/_/api/1.0/user/lookup.json?email=joseph.szymborski@gmail.com&fields=basics

I know e-mail isn't a proof and not verified like twitter, HN, etc, but searching by email would be know different than searching by keybase.io username in terms of security.

[CodingAnarchy]

I'd also appreciate a feature like this, but I'd ask it be something the user has to opt in to. It's not really a security thing, just a note that some people might prefer keeping their email a little closer to the vest. Additionally, this would allow for a public-facing email to differ from the one used to signup (for instance, I might want an email that only receives encrypted data).

But in practice, any email client will need to be able to lookup or otherwise find email addresses for keybase users, so as to reduce the amount of information that must be given.

[jszym]

Hmm.. that would make sense I guess.

So in your profile you can opt-in or opt-out of e-mail discovery.

If you're opted in, and someone did something like https://keybase.io/_/api/1.0/user/lookup.json?email=chris@chriscoyne.com

You'd get

{
  "status": {
    "code": 0,
    "name": "OK"
  },
  "them": [{
    "id": "9a2c8a8ac48162723c7992570c87da00",
    "basics": {
      "username": "chris",
      "ctime": 1399919269,
      "mtime": 1399919269,
      "id_version": 5,
      "track_version": 1,
      "last_id_change": 1399919279
    }
//... truncated
  }],
  "csrf_token": "lgHZIDQ1NTU0ODE3NzY5ZmM5N..."
}

And if they're not opted in

{"status":{"code":0,"name":"OK"},"them":[]}

[guerda]

I definitely support this feature request. It would be great to check a list of mail addresses against keybase so I can id and track my contacts, if they are on keybase.

[ghost]

I also agree - it would be great if (on the mac) the CLI could be hooked into Address Book - search for people based on the emails, twitter handles, etc. which are listed in your address book

[jvasile]

Your email address is right there in your GPG key. By using Keybase, you've already put it out there in public and associated with your keybase account. We should be able to search on it.

[ghost]

Of course addresses used to register should not bw searched in. But... I would interpret it as @jvasile that adding an address to the public key is consenting for it to be searchable (since addresses in public keys are open and public by design). So :+1: for being able to search in email addresses saved in public keys.

[oconnor663]

We will probably add email proofs at some point by saving DKIM headers and letting clients verify them.

[patcon]

Just as a sample use-case for doing lookups, even when emails are unverified:

If emails were searchable, then a gmail extension could be created that would do a lookup on the unverified address, then verify connected social media identities, and then use a (as yet non-existent) complementary service (that has been oauth'd by user on each of those services) to lookup previous interactions with the purported person. (ie. oh, you're following the user and have DM'd them on Twitter, and you're on a github team together? Ok, highly likely this is the key you want to use.) This could be used to help the user decide whether to use the key.

[MoritzFago]

for the privacy concerns i'd like to suggest, that you could lookup a key with a hash (don't know which scrypt maybe) of the address of possibly to the key base account associated pgp keys.

[jasmas]

This is a duplicate of #590 closed long ago.

I don't think there is any privacy concern and it doesn't seem to me that keybase need take on the burden of email verification to make this happen. This problem was mostly already solved by the existing web of trust.

Since email is by nature transient, keybase actually SHOULD NOT verify email in my opinion because there can be no standing proof for independent users to verify as with the other services. However, this should not be required. I see the process working as follows:

1. Search keyservers for the email address and return a list of unexpired & unrevoked keys
2. Search keybase.io for the fingerprints and return a list of users

This is the process I use manually now. Keybase is already integrated to pull keys from gpg, so why not integrate it to search keyservers for uids? The integration would be helpful if only to return a potential list of keybase users all claiming a pgp key with a uid matching that email. Of course we don't trust the key servers. Anyone could upload a valid key for anyone else's email. But that is exactly the problem keybase is already built to solve. When keybase returns a list of potential users matching a specific email, I'm going to start with the one that has also verified a facebook, twitter and github that all appear to be the person I'm looking for.

[onlykey]

We have implemented a keybase search page/engine here - https://apps.crp.to/search

It currently supports searching by Auto search (searches any text for best match), Web Domain, Twitter, Github, Reddit, Hackernews, and PGP Key Fingerprint

We would very much like to be able to search by email, I see this issue has not had any activity in a while, please consider adding this feature to the search API.

[onlykey]

It looks like the Protonmail api has this feature, you can download a users public key from their email address:

https://api.protonmail.ch/pks/lookup?op=get&search=username@protonmail.com

Any ideas how to do this with Keybase?