Luca Filipozzi dijo [Fri, Apr 04, 2014 at 02:02:09PM +0000]: > FWIU, the client-side encryption is javascript provided by the service so > modifiable by the service at will and able to capture/transmit passphrase. > > DDs interested in this experimenting with this service are encouraged to NOT > upload the PGP private key that is registered in the Debian Keyring. > > If you sign up for the beta and receive an invitation, please consider > generating a new, independent PGP keypair for use with this service.
Right, I strongly agree with Luca here. To be clear, if I spot any key that's both in any of the Debian keyrings and in keybase.io, I will proceed as if the key had been lost or compromised and immediately remove it from our keyring. Not that I will be checking for it (for now, at least). Not that I have even talked about it within the team. But I strongly think it's one of the duties of us as keyring maintainers. (Cc:ing for a reality check ;-) )
signature.asc
Description: Digital signature
