Open Lurker69 opened 7 years ago
Lurker69
commented
7 years ago Nobody cares about this? I am tempted to insert some Stallman accounts in my sigchain.
Also I have another question. Does "reset my keys & start from scratch" deletes your sigchain? I guess it doesnt, so there is no way to fix a bit messy sigchain you might create by fiddling around. If you delete account it says that you cant create new one with same name.
maxtaco
commented
7 years ago Your proposal would involve a fair amount of server trust, which we try to shy away from. The way things work, users and clients can post what they want to their sigchains (as long as the signatures are well-formed), but other clients double-check resolutions. This way clients can catch the server if it's compromised or lying.
On Wed, Dec 21, 2016 at 7:22 PM, Lurker69 notifications@github.com wrote:
Nobody cares about this? I am tempted to insert some Stallman accounts in my sigchain.
Also I have another question. Does "reset my keys & start from scratch" deletes your sigchain? I guess it doesnt, so there is no way to fix a bit messy sigchain you might create by fiddling around. If you delete account it says that you cant create new one with same name.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2699#issuecomment-268683786, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05_yJvfJN7j5m53PjndmtXSfdJQzARks5rKcK_gaJpZM4LDm3m .
Lurker69
commented
7 years ago If other clients double-check-resolutions... how is it possible that I have
---claimed ownership of hacker news account zsiciars---
in https://keybase.io/lurker69/sigchain ? I never confirmed zsiciars account since I never owned it. I just sent signed request for claiming to server. Shouldn't other clients be able to find out that this was not confirmed but only claimed? Did this happen because I soon after that signed request for Residue account (which is mine) and I confirmed it. So other clients just checked last claimed account and trusted that all previous revoked were also fine?
Only thing that bothers me is that there is no visible difference between revoked ownerships that were confirmed and revoked ownerships that were not confirmed at all.
When I created keybase.io account I played with it a bit, trying how things works, how it checks your claims... When I tried to claim hackernews account from complete stranger with curl/GPG/bash method, account was added to my sigchain even though I never confirmed I own it with post in hackernews profile. Here is the sighain: https://keybase.io/lurker69/sigchain First I claimed (via curl/GPG/bash) 2. zsiciars but never confirmed it. Later I claimed 3. Residue and confirmed it. Later I did the same for 5. lurker69. If you look at sigchain, both 2. and 3. claim signatures look the same, visitor might assume that at one point I controlled both of those accounts, but I didnt. (this could be exploited to convince inexperienced visitor that you controlled account you never did) I didnt check my sigchain before I confirmed 5. lurker69 hackernews account, so I dont know if 2. zsiciars was in sigchain before I confirmed it or it appeared only after confirming 3. Residue. I can do more tests if you wish. If you check signature point 5. It states that it revoked signature point 3. And you dont see same revoking message at signature point 3 regarding revocation of point 2. Is this the indication that signature point 2. was never confirmed?
I would suggest that you dont include unconfirmed webpage accounts signature points in sigchain at all. Or if that is not possible that you put notation next to them noting if they were confirmed or not.