private twitter account usable for keybase verification

[ramonvennik]

Switching to public twitter account is not an option

[alexwwang]

meet this problem too. Look forward to the solution. How about making a bot follow me and thus everything it could see, though may raise another risks.

[ghost]

as mentioned by @malgorithms before:

the problem is that it's not about keybase seeing your tweets, it's about everyone. What if Keybase servers are evil and claim you've tweeted something?

[alexwwang]

@dtiersch yes I understand. Exactly it's what I mentioned as another risks. Seems a paradox for us who locked twitter accounts to prove keybase account unless twitter modified its privacy management.

[sstjohn]

Well, there are still public elements to private accounts. For example, if Keybase could verify an account based on a secret steganographically embedded into the profile image...

[zQueal]

if Keybase could verify an account based on a secret steganographically embedded into the profile image

This has been discussed at length and to my recollection has been widely received by the community. In my mind this works exactly the same as a text based proof which can be verified by anyone at any time and would include the ability to verify just about any type of account with a profile picture. Wondering what the devs think of it, though; @maxtaco @malgorithms

[cjb]

Has anyone calculated how many bytes of data you can put in the size/resolution you're given for your twitter profile photo, and whether you can put a Keybase signature in there without making the image look bad?

[sstjohn]

steghide info cover.jpg can give you the capacity for a cover file if you were to use steghide to embed the data. I was able to fit the PGP sig from my github gist into an image and pull it back out alright, but the embedded data doesn't seem to survive the round trip through my github profile. On second thought, I kinda wonder if they scrub images to prevent this sort of thing.

[Brianetta]

You don't need to steganographically hide the information, if you can place it in the clear in the metadata. Does Twitter allow this?

[ramonvennik]

or just put something like a QR code plain in sight

[sstjohn]

Twitter strips exif data from images (cf.) A QR code might work-- idk their capacity vs proportion of the image required-- but it would probably be pretty ugly.

[plttn]

http://stackoverflow.com/questions/11065415/how-much-data-information-can-we-save-in-a-qr-code

It looks like a 101x101 QR code can hold 3248 bits (408 bytes). I'm not sure how much a proof would require.

[jsnipper]

Got the same issue - guess I'll just go unverified on twitter for now

[theminor]

Another "vote" for this issue. I'd like to add my twitter account, but I don't want it to be public. Perhaps a solution would be for keybase have a twitter account that it uses to check verification. That account could request to follow users who are private and then be used to verify. I'd simply approve the keybase verification account as a follower, and that account could then see my verification tweet.

[cjb]

@theminor as mentioned above, this doesn't work because it introduces trust on Keybase. Anyone should able to verify your Twitter identity for themselves, not just by trusting Keybase's private server, which could lie about it to them.

Putting proofs in the bio field somehow might work, though.

[ramonvennik]

putting a url in your twitter bio field containing ...

[starkythefox]

Or asking Twitter to add the option of individual unprotected tweets in a protected account. Most likely it won't be added if the amout of people wanting that is very low but...

[alexwwang]

I chose to unprotect my twitter account to let this verification through...

[alexwwang]

I chose to unprotect my twitter account to let this verification through...

[simonsigre]

Much like everyone else here Im just +1 to the issues whereby a private twitter account will-not hold the verification

[cjb]

To be clear, +1s don't help much here -- it's a fundamental design decision of Keybase that other Keybase users check your proofs, which they can't do if your account is hidden.

But if Twitter adds a way for private accounts to have a public post, we can revisit. Obviously Keybase doesn't have any control over whether Twitter decides to do that.

[ramonvennik]

As mentioned before, in protected twitter accounts, profile page is always readable, check my http://twitter.com/ramonvennik

[plttn]

@yabbanoname: right, but the problem is the description isn't auditable to a time. You can't keep track of changes to the description.

[ramonvennik]

So, the public profile of a protected twitter account needs a public timeline ... 🤔

[plttn]

And as far as Twitter itself is concerned, if you're posting stuff with auditable times, why not just make it a public account.

[ramonvennik]

because not all I tweet is for all eyes

[cjb]

@plttn That's not actually the problem with using the public profile. For Hacker News accounts we use the bio area, and it doesn't have a modified time. The clients sign having seen your proof into their sigchain, which is what's actually used to track changes over time.

I think the problem with using the public profile is that hardly any "normal people" will want to have their Twitter bio or photo space taken over with jargon, so it's not a good use of time to work on a complicated feature that hardly anyone would use.

[plttn]

@cjb, ah. That makes more sense.

On Thu, Feb 23, 2017, 12:47 PM Chris Ball notifications@github.com wrote:

@plttn https://github.com/plttn That's not actually the problem with using the public profile. For Hacker News accounts we use the bio area, and it doesn't have a modified time. The clients sign having seen your proof into their sigchain, which is what's actually used to track changes over time.

I think the problem with using the public profile is that hardly any "normal people" will want to have their Twitter bio or photo space taken over with jargon, so it's not a good use of time to work on a complicated feature that hardly anyone would use.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2407#issuecomment-282116026, or mute the thread https://github.com/notifications/unsubscribe-auth/AHByQNTaVx1eCRm5AlI2dtvburp-UDM_ks5rffBSgaJpZM4JS8Z1 .

[simonsigre]

And it'a not possible to 'friend' a keybase worker twitter account and that be used to perform the audit as to have the private posts visible to them?

On 24 Feb 2017, at 7:20 am, Jack Platten notifications@github.com wrote:

@cjb, ah. That makes more sense.

On Thu, Feb 23, 2017, 12:47 PM Chris Ball notifications@github.com wrote:

@plttn https://github.com/plttn That's not actually the problem with using the public profile. For Hacker News accounts we use the bio area, and it doesn't have a modified time. The clients sign having seen your proof into their sigchain, which is what's actually used to track changes over time.

I think the problem with using the public profile is that hardly any "normal people" will want to have their Twitter bio or photo space taken over with jargon, so it's not a good use of time to work on a complicated feature that hardly anyone would use.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2407#issuecomment-282116026, or mute the thread https://github.com/notifications/unsubscribe-auth/AHByQNTaVx1eCRm5AlI2dtvburp-UDM_ks5rffBSgaJpZM4JS8Z1 .

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[skwerlman]

@simonsigre the proofs need to be publicly verifiable by anyone (not just keybase!). a private tweet is by definition not available to everyone, and so cannot be used.

[simonsigre]

Apologies. Thank you very much for clarifying .

On 24 Feb 2017, at 7:30 am, skwerlman notifications@github.com wrote:

@simonsigre the proofs need to be publicly verifiable by anyone. a private tweet is by definition not available to everyone, and so cannot be used.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[theminor]

Seems that the idea of embedding simple verification data in ones profile picture would work. What would be wrong with doing that?

Or the bio field, although that has more limited space, as has already been mentioned. I'd be in favor of either option.

A third idea would be a "bot" or some sort of simple add-on to your twitter account that auto-responds to DMs from anyone with the appropriate verification. That way anyone could verify the account at any time, since the "bot" would send an immediate response.

[Lucky225]

I see a lot of +1s but no valid solution. Theminor got pretty close with a twitter bot - but here's what I'm thinking. A bot on twitter tied to keybase that you FOLLOW. Upon receiving a follow the twitter bot follows back and you permit it to follow you. This way their API can verify the existence of your protected tweet and post the link to it vouching for it's existence and verification. Those that actually follow you and can see your protected tweets would then be able to verify the tweet since they follow you and can see it.

[plttn]

That still doesn't solve the problem of an arbitrary person who doesn't know you being able to confirm that you're you on Twitter without trusting Keybase.

On Sat, Mar 24, 2018 at 7:19 PM Lucky225 notifications@github.com wrote:

I see a lot of +1s but no valid solution. Theminor got pretty close with a twitter bot - but here's what I'm thinking. A bot on twitter tied to keybase that you FOLLOW. Upon receiving a follow the twitter bot follows back and you permit it to follow you. This way their API can verify the existence of your protected tweet and post the link to it vouching for it's existence and verification. Those that actually follow you and can see your protected tweets would then be able to verify the tweet since they follow you and can see it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2407#issuecomment-375940169, or mute the thread https://github.com/notifications/unsubscribe-auth/AHByQJZpjF9N2Do81MWZsfisoX111b3xks5thv68gaJpZM4JS8Z1 .

[Lucky225]

It does if that arbitrary person is one of the people who follow you on twitter as they can click the link and see the proof as they follow you, which is really the entire purpose of proving you are one in the same, if they don't follow you on twitter what's the point in proving your twitter to them in the first place?

[simonsigre]

I think the only option that has been floated that might work is using the profile photo with a overlay ... but scraping and processing that would be a computational nightmare for Keybase servers. Beyond twitter allowing a single public tweet there is little that can be done (otherwise it would have been done).

A campaign needs to be started to ask Twitter to add an additional public field that can be used for validation / public key functionality but such things are often abused and used for C&C :(

How about the website field ? Link to your website validation file?

On 25 Mar 2018, at 13:37, Lucky225 notifications@github.com wrote:

It does if that arbitrary person is one of the people who follow you on twitter as they can click the link and see the proof as they follow you, which is really the entire purpose of proving you are one in the same, if they don't follow you on twitter what's the point in proving your twitter to them in the first place?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[plttn]

@Lucky225, but that doesn't solve someone who doesn't follow you, and wants to make sure that the person they think is you is you before following.

[Lucky225]

If they don't follow you then why do they care about your twitter verification? They don't KNOW YOU on twitter.

[plttn]

Currently I can verify anyone's proofs no matter our social connection.

Hypothetically speaking, imagine a case where the act of following someone could be bad information if you followed an account that was impersonating someone else.

[Lucky225]

You could still verify someone by proxy by keybase acknowledging it's there since the keybase bot would have to follow you to see the proof. If you don't trust keybase and don't want to follow the individual to verify yourself then I don't see what the point is in wanting to know if it's their twitter or not, it would make no difference, and lead you back to the status quo that already exists - you can't verify.

[plttn]

My understanding of the viewpoint of Keybase is that's the tradeoff you have to make. You have to commit to allow anyone to see your proofs, if you're not willing or able to make that commitment, then you can't prove a site.

[theminor]

How small can the verification string be? To verify a Github account, the string is like 40 characters (plus a lot of other data), but can it be much smaller? Maybe just adding the option to use the bio field would enough - people could verify either via a public tweet or via the bio field. At least it would be an option. A url counts as 23 characters. So using a url (of any length) would be a loss of 23 characters to the bio field. If the validation could be accomplished in less than 23 characters, that would be preferable, but worst case-scenario you use a url... This really ought to at least be an option for people without public profiles.

[lourinaldi]

👍 for verification via twitter bio. ideal solution given all the constraints.