undefined | Better HN

0 pointseadmund6y ago0 comments

> On my HN profile itself you can find my signatures on Keybase.

… or your HN account could just link straight to your Twitter account. I don't get what Keybase adds here.

0 comments

If you have an account on N different sites, and you want to let people identify you between each of those, linking directly requires (N-1) links per profile, or N*(N-1) links total. When you create a new profile elsewhere, you need to update your profile on each of the N original sites, plus add N links in your profile at the new site.

Or you could collect all of your identities into a Keybase profile, which all of your other profiles link to. That's a lot less to manage. Plus, proving your identity at some site (usually) has the byproduct of pointing back at your Keybase profile, so even if you come at this just from a "less work for me" angle, you're getting verifiability for free.

WA6y ago

Or you could collect all of your identities in one other central place (say your website or HN) and link to the central place from all other profiles. Because that is exactly the scenario you just mentioned. Having direct links to all other profiles isn't solved by keybase. The only thing it provides is a central place for profile links – and there are obviously other ways to achieve this.

bloopernova6y ago

Sure, but if you look at how Keybase is verifying the information and how it is presenting that trust to external users, I feel that the value they are providing has increased greatly over a static page listing social network IDs.

Take a look at https://keybase.io/anthonyclarka2/sigchain

You can see a whole bunch of extra crypto is being used to verify the information.

eridius6y ago

If someone hacks your HN account they could redirect the Twitter link elsewhere. If the only 2 accounts you have are HN and Twitter then Keybase doesn't solve that problem, but if you have more accounts elsewhere that are well-known, those extra accounts then prove that the HN<->Twitter connection is valid.

chrisdirkis6y ago

If everything links to everything, that's an n^2 problem (and hard to coordinate actors to do). If everything just links to one service, that's n or 2n at most.

Also, I can write the name of any twitter account in my HN profile. I can only link _my_ twitter account to a keybase account I own.

Spivak6y ago

Right, but if your Twitter account links to your HN account then you've proven ownership both ways. If you don't want the n^2 problem then just have a list of all your accounts on one site and link there. Say, for example, your Mastadon account.

Nadya6y ago

I solved that problem that way too: https://nadyanay.me/identities.html

It comes with some issues, namely that I suck at keeping it up to date and that not all identities I would like to list there have a way for me to provide proof beyond my word alone. For most use cases and attack vectors I consider this sufficient enough. Now this is outside most peoples' threat models, but Keybase also provides some mitigation against some other scenarios.

1) If nadyanay.me becomes compromised the imposter could update /identities.html with a new and fake list and I would need to update my link everywhere it is used or I would be pointing people to the imposter list. I have more faith in both (a) Keybase is less likely to be compromised and (b) in the event Keybase has become compromised someone will notice. Nobody would notice if my personal site was compromised, as even my closest friends don't regularly browse my website. It could honestly take weeks or even months to discover the file had been changed.

2) A person who compromises my account(s) must also have access to my private key in order to sign messages in my name. This is important because even if any of my accounts is compromised they're still unable to prove they are me if asked. This is something I actively practice with a few online friends of mine. We pretty regularly lend large sums of (virtual) game cash to one another worth in the range of $10,000-$15,000 USD if RWT'd. The last thing either of us would want is an imposter asking to borrow some money in-game from them and selling it off and so anytime we ask to borrow some in-game cash we ask to see a signed message. I admit that's the primary reason behind most of my signed messages...

3) Any attempts at creating a new key will allow users to see that my key has been revoked and replaced. Users who had signed my old key would need to re-verify with me that my new key is valid. Social engineering and people's casual use cases means the imposter would just claim to be me and most people would believe them. Few would bother verifying but it at least provides an additional opportunity for the imposter to be outed.

j / k navigate · click thread line to collapse