Facebook verification: why not use Facebook's public key field?

[howderek]

Facebook has a place to put your public key

Why doesn't Keybase use that to prove identity instead of a post?

[plttn]

FWIW: I imagine the reason is that just putting a public key also implies that you own the Keybase account. If you could prove identity by adding a public key, in theory you could add the public key D3446965B4615930 to your Facebook account, and you could attach your profile to my Keybase account.

By making it a signed statement, it proves both ends of the ownership chain, and the PGP key field I imagine doesn't support arbitrary statements.

[virtualdxs]

IIRC Facebook verifies that you are able to decrypt using that key, although that may only be for notification purposes.

[ErikHumphrey]

Yeah, making a public post with the obnoxious Keybase link embed is annoying when you don't make many posts and, of course, can't delete it.

[plttn]

Like I said above, you have to have a signed blob that connects both ways. Just putting your Keybase key into the PGP field wouldn't connect both ways.

[howderek]

Yeah but couldn't you sign a comment in the PGP public key? Self-signing is specifically for this.

[plttn]

I don't know which field in the key you're specifically referencing, but you'd have to have ~1300 characters in that field which I don't think exists.

Functionally there has to be a post for the sigchain to work properly, as then the timestamp on the post will match the time stamp of the sigchain node, and removing the post makes it obvious that it's failed and there's a specific link that's dead.

[ErikHumphrey]

Ask Facebook to make it connect both ways 🤔

[howderek]

I put the link that is my current Facebook keybase proof in the comment section of my public key and it seems like everything is working. I'm not super strong on crypto so I'm not sure if I can respond to what you're saying about the timestamp, but it seems to me that all the information that is currently on my Facebook proof post (this link) could exist in this section of the security settings solely in the key instead.

[ErikHumphrey]

Well, if you remove the post then there is no longer a permalink to the comment and that section doesn't do much.

[plttn]

Basically there's a few pre-existing conditions for a Keybase proof to make sense. a. Easily independent verification of proof b. Two way authentication (CIA triad) which is not authentication in the sense of logging in, but "I am who I am" c. Proofs exist at a given time

So a. isn't really that big of a deal, but it's convenient from keybase.io to just be able to link to the specific post on Facebook that affirms the link. B isn't handled so much by putting something in the PGP key block field. The best example of this two way authentication is in Github proofs. https://gist.github.com/plttn/9abaab3b1162a1dec326 You'll note that it asserts i own plttn@keybase and is able to do so by signing a message using my Keybase account key, as well as owning plttn@github by me posting something on that account. If it's changed to using the key field on Facebook, the level of two way authentication is smaller (as well as potentially causing anyone who uses GnuPG for key management to barf on importing your key because 1300 characters of comment).

I can definitely see how this is annoying, but I don't foresee Keybase changing this behavior for FB proofs anytime soon, especially since all other proofs post something that is more or less timestamped by the network they're being posted on (apart from web proofs).

[howderek]

I gotcha, I see how that could be problematic. Thanks for the clarification!