Open DavisNT opened 9 years ago
pathawks
commented
9 years ago How about a higher level where I only use builds of GPG that I’ve compiled my self? Maybe a still higher level where my key exists only in my head, and all encryption is done by hand?
The point is, at some point you have to trust something, and to suggest otherwise is less security than “security theater”
DavisNT
commented
9 years ago I won't call restricting features a “security theater”. I think recent password manager breach is a good example. Regarding trust, I believe ability to restrict features (especially while in beta) would only increase the trust.
P.S. I remember that there is/was one more issue where behavior of Keybase command line client (offer to upload private key to Keybase with default of yes) was discussed. Also this could be covered by precaution levels.
pathawks
commented
9 years ago Trust in whom?
I could jump through all the hoops to be labeled “Extremely” trustworthy, but if my password is on a Post-It beside my keyboard, it doesn’t much matter.
Security theater.
DavisNT
commented
9 years ago Trust in the project taking security as the most important thing.
It is clear that precaution level would protect user only within (uncompromised) Keybase and only from Keybase being compromised in the future. But what else Keybase could (reasonably) do?
I can easily imagine a case when precaution levels could save the day: if a user uses Keybase command line client on a dedicated yet internet enabled device (e.g. a Raspberry Pi used only for encryption and signing) he/she could get very unhappy if accidentally presses enter when Keybase offers to upload private key (providing yes as the default). I don't see any theater in this example.
akhepcat
commented
9 years ago the straw-man argument that pathawks points out should not detract from the ideal goal, which is increasing the visible trust.
I think that the "precaution-level" meter in an interesting solution, and provides some assurance that a specific key has not been made leak-able by keybase
Keybase is not here to protect users from themselves. But it should be able to protect itself from accountability issues arising from the proof-of-the-negative: i.e., prove keybase hasn't leaked your private key.
I would be in support of this model.
There has been a lot of discussion whether Keybase should provide convenience by storing (encrypted) private key online or security by discouraging online storage of private key.
I would like to suggest a solution for this dilemma - precaution levels. There could be three levels:
Precaution levels could normally be only decreased, increasing would be allowed only when publishing new public key. Keybase could offer only functionality corresponding to user's precaution level (e.g. if precaution level is set to extreme Keybase.io should never offer storing private key online or using Keybase command line client). Precaution level could be signed by user's key and stored on Keybase servers (to prevent changing behavior of non-compromised Keybase command-line client by compromising Keybase servers (or communication with them)).