![]() This is exactly 2fa: two devices sharing a secret? Normally your idp and your TOTP app/token share a secret, now two of your devices share a secret? > Technically, though, this is not a normal 2fa: the devices will share a secret with just each other. If you sign anything with a nacl sub-key, that can't be verified with gpg? It's not even clear if this will work off-line, when keybase is down, when keybase have revoked your account.? But it's unclear to me how this is an improvement for users. I'm not even sure what this feature is supposed to do?Īs best I can gather, this ties signing to keybase.io (which is anchored in a GPG-key). * NaCL is the new hotness, PGP is old and busted * NaCL is a small library and therefore is probably easier to incorporate into a variety of clients rather than the behemoth that is GPG/libgcrypt. * ECC is generally considered more future-proof than RSA That was probably the most important motivation for Keybase to use them. Imagine how bad it would be if you had to encode 4096 bits instead of just 256! They are probably generating this (Diceware-esque) string by splitting the 256-bit key into n-bit segments, using each n-bit segment as an index into an array of words, and then joining the words to form a "sentence" that encodes the value of the key.ġ4 words is already pretty unwieldy, as they acknowledge in the blog post. "death punch correct staple battery horse clearly cherry picked words yeah moo car lisp" The "Paper keys" section of the blog post discusses this at length, and shows an example of a Paper Key: While their ideal workflow is to communicate keys by scanning QR codes, they currently need an alternative workflow to communicate keys between desktops (and will always need an alternative for users who can't scan QR codes for whatever reason). Critically, they are much smaller and therefore easier to communicate between people/devices. The most important benefit is probably that NaCL keys are 256-bit keys based on ECC (specifically, Curve25519), which means these keys are stronger, faster, and actually more secure than the strongest keys commonly used in PGP (4096-bit RSA keys). ![]() Google Play store does not have Keybase any more and the download link from keybase.io is invalid as well.I didn't design this so I can't say for certain, but from reading their post there are a couple of benefits that NaCL confers over PGP for generating per-device keys. Keybase Android app banned from Google Play? A typical workflow resembles the above process flow, along with leveraging tools such as Keybase for the automatic encryption of credentials and keypairs, supported by IaC frameworks like Terraform. ![]() ![]() īootstrapping a Secure AWS as-Code Environment - Your MVS ChecklistĪpart from user creation, you should also automate identity federation and secret provisioning to ensure a comprehensive user creation cycle. It has the best security and identity model IMHO. Potential customers could already put a LinkTree URL + QR code on a business card the website. The role of "one link" to a page with links to accounts/profiles on other sites seems well-served by existing sites including LinkTree and KeyBase. Ĭalling these "Smart Cards" is misleading, as that is a very well-established term for something else (cards containing an embedded IC used for authorization). I personal use Beancount and Fava () with Git versioning on Keybase (encrypted server side). In light of the Pocketbook closure, I made a little table for all the apps I've usedĪnother one for people to consider is plaintext accounting (), not as pretty as some and requires CSV import.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |