On Fri, Apr 04, 2014 at 08:15:10PM -0400, Paul Tagliamonte wrote:
> On Sat, Apr 05, 2014 at 12:57:50AM +0100, Jonathan McDowell wrote:
> > 2 separate points to make here (as well as the general point Russ and
> > Paul have followed up with about what do we trust in general running on
> > the same m
On Fri, Apr 04, 2014 at 08:56:50PM -0600, Gunnar Wolf wrote:
> Right. However, I guess that most uses of the app (other than sending
> a message saying "yes I'm here, this is me") will require pasting the
> key. Or not? Keybase users, please enlighten me: What do you do with
> it besides just exist
Russ Allbery dijo [Fri, Apr 04, 2014 at 04:23:03PM -0700]:
> > Well, please enlighten me here: Without fully auditing the Javascript
> > code you are using to do the crypto client-side, can you *really* be
> > certain your private half has not travelled to Keybase?
>
> If Javascript running in a b
On Sat, Apr 05, 2014 at 12:57:50AM +0100, Jonathan McDowell wrote:
> 2 separate points to make here (as well as the general point Russ and
> Paul have followed up with about what do we trust in general running on
> the same machine as your GPG key).
Sorry, I wrote that from my phone. My point was
[I trimmed the To down to -project because I think everyone on the CC is
reading that; I certainly am so no need to explicitly CC me.]
On Fri, Apr 04, 2014 at 05:18:13PM -0600, Gunnar Wolf wrote:
> Jonathan McDowell dijo [Fri, Apr 04, 2014 at 10:35:41PM +0100]:
> > > > To be clear, if I spot any
+1 russ.
This is true of the dropbox daemon too. Are we to throw out DDs with
dropboxd installed? Wine?
On Apr 4, 2014 7:23 PM, "Russ Allbery" wrote:
> Gunnar Wolf writes:
>
> > Urgh...
>
> > Well, please enlighten me here: Without fully auditing the Javascript
> > code you are using to do the
Gunnar Wolf writes:
> Urgh...
> Well, please enlighten me here: Without fully auditing the Javascript
> code you are using to do the crypto client-side, can you *really* be
> certain your private half has not travelled to Keybase?
If Javascript running in a browser has access to your GPG secret
Jonathan McDowell dijo [Fri, Apr 04, 2014 at 10:35:41PM +0100]:
> > > To be clear, if I spot any key
> > > that's both in any of the Debian keyrings and in keybase.io, I will
> > > proceed as if the key had been lost or compromised and immediately
> > > remove it from our keyring.
> >
> > No, sorr
On Fri, Apr 04, 2014 at 05:26:40PM -0400, Paul Tagliamonte wrote:
> On Fri, Apr 04, 2014 at 03:24:27PM -0600, Gunnar Wolf wrote:
> > Right, I strongly agree with Luca here.
>
> I do too
Likewise.
> > To be clear, if I spot any key
> > that's both in any of the Debian keyrings and in keybase.io,
Jonathan Dowland dijo [Fri, Apr 04, 2014 at 02:50:01PM +0100]:
> keybase.io is a thing. This thing lets you, amongst other things, upload a
> copy
> of your PGP private key to their servers. This is client-side encrypted.
>
> Discuss.
As this thread was started at debian-private, I sent some of
On Fri, Apr 04, 2014 at 03:24:27PM -0600, Gunnar Wolf wrote:
> Right, I strongly agree with Luca here.
I do too
> To be clear, if I spot any key
> that's both in any of the Debian keyrings and in keybase.io, I will
> proceed as if the key had been lost or compromised and immediately
> remove it f
Luca Filipozzi dijo [Fri, Apr 04, 2014 at 02:02:09PM +]:
> FWIU, the client-side encryption is javascript provided by the service so
> modifiable by the service at will and able to capture/transmit passphrase.
>
> DDs interested in this experimenting with this service are encouraged to NOT
> u
Am Freitag, den 04.04.2014, 16:33 +0200 schrieb Tobias Frost:
>
> Also, some reading suggestion:
> https://github.com/keybase/keybase-issues/issues/489
Sorry, just realized this I pasted the wrong link.
I meant this one:
http://blog.lrdesign.com/2014/03/thoughts-on-keybase-io/
--
To UNSUBSCRI
On Fri, Apr 04, 2014 at 04:33:18PM +0200, Tobias Frost wrote:
> Well, this "thing" raises several red flags just by reading "upload ...
> private key". This alone smells very wrong, because I'm the opinion a
> private key must never leave my (trusted) system)
More than that, it's good practice to
Am Freitag, den 04.04.2014, 14:50 +0100 schrieb Jonathan Dowland:
> keybase.io is a thing. This thing lets you, amongst other things, upload a
> copy
> of your PGP private key to their servers. This is client-side encrypted.
>
> Discuss.
Well, this "thing" raises several red flags just by readin
On Fri, Apr 04, 2014 at 02:50:01PM +0100, Jonathan Dowland wrote:
> keybase.io is a thing. This thing lets you, amongst other things, upload a
> copy of your PGP private key to their servers. This is client-side encrypted.
>
> Discuss.
FWIU, the client-side encryption is javascript provided by th
keybase.io is a thing. This thing lets you, amongst other things, upload a copy
of your PGP private key to their servers. This is client-side encrypted.
Discuss.
--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@list
17 matches
Mail list logo
