what is it?

[StefanKarpinski]

I'm intrigued by this project since we're looking for some solution to verifying identity for @JuliaLang's package manager. However, even though there is a "what is it?" section on the keys.pub website, I can't seem to find the answer to that question anywhere. There is a list of features, but no actual statement of what it is. Is it a server? Is it a service? Is it a client? How does it work? There's also a section for that but I find myself similarly unenlightened. That section is another list of features. I know these answers are probably so obvious to people who work on the project that it doesn't even occur to you to explain it, it would be great for people like me who come here and have no clue.

[shrink]

As a cryptography layperson with an end-user's relationship to public-key cryptography, the most important aspect of keys.pub that differentiates it from my historic understanding of public-key cryptography (which was heavily influenced by PGP) is the association between a key and an online identity. As an end-user, it was drilled into me that the foundation of PGP is a long-life protect-at-all-costs master key that is used to both identify me and for encryption, whereas keys.pub delegates identity to external services (like GitHub, Twitter and Reddit) and uses keys just for encryption.

Essentially, while keys.pub is many things (a pleasant-to-use cryptography client) the differentiator for a layperson like me (vs. GPG Suite) is the difference between GPG's web of trust model and the keys.pub broadcast model (popularised by keybase(?)). I would suggest that any "what is it?" description aimed at laypeople emphasises this difference, because most people coming into a tool like this will likely have some understanding of public-key cryptography and it will likely have been shaped by PGP.

Alternatives to PGP on cryptologie.net has helpful language that may be a good reference point:

To obtain public keys, the web of trust (signing other people keys) hasn't been proven to really scale, instead we are now in a different key distribution model where people broadcast their public keys on various social networks in order to instill their identity to a specific public key. I don't think there's a name for it... but I like to call it broadcast of trust.

[qgustavor]

Maybe the current website is too focused on developers and cryptography enthusiasts: most functions are only available on the client and on the API. Of course, using a client is better as it's easier to be trusted than the server, but I think there could be a balance between "it's too secure you don't need to trust the server" and "it's easy to use".

At least functions that don't touch secretive data could work, like user search, public key encryption and signature verification. Saltpack doesn't allow clear signatures because data can be mangled, but there are few websites that open Saltpack signed messages, so even someone that don't care if the server needs to be trusted or not, is often required to download some client to decode it. node-saltpack doesn't even support signed messages (but @samuelthomas2774/saltpack does).

Usability is good: in "Even the Inventor of PGP Doesn't Use PGP" there is "PGP has never taken off among non-techies because it's inherently hard to use". Something that could make Saltpack less hard to use would be allowing to decode signatures in the website. This website does something like that, but using Keybase client on a Lambda. I could implement so that it decodes the message on the browser (using samuelthomas2774's Saltpack), verifies the signature and shows info about the user if the public key is registered on keys.pub. Would be better if the API supported CORS: Keybase API supports, but it doesn't allow searching users per key unlike keys.pub. Unlike the Lambda implementation the server would know only the public key (unless someone edits the code to leak the data), so is more secure, still less secure than the client, so would be nice to something like "For better security, download the app".

(To be fair many non tech savvy users may not install the app because, as it's not popular, SmartScreen flags it.)

[StefanKarpinski]

Still don't really know what it is 😬

[shrink]

@StefanKarpinski keys.pub is a client that uses proof posted on social media profiles to associate a public key with an online identity, and provides a bunch of helpful easy-to-use tools for working with those keys. For example, you could create a key within the keys.pub service and associate it with your GitHub profile, which means other users can search for your key and trust that there is a relationship between the key and your GitHub profile.

For example, I have created the key kex16fujyxrsskjuup2mtgtfx6hpwmc6njfup6wayp4drsw6phm9t7gq8cp9sx which is associated with this @shrink GitHub account. I can then use this key to sign and encrypt, and in turn any user can go into the keys.pub application and search shrink@github to find my key, which they can then use to interact with my signed messages or send a message just for me.

Here's a few screenshots:

Searching for shrink@github to find my key:

Viewing my key metadata, including where you can verify the proof:

Me signing a message with my shrink@github key:

Verifying the message I signed against the shrink@github key -- you can test this yourself by pasting the following message in:

BEGIN SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5weRa0zkUf52xU VqYs6wqPVVEYUrS nwoGbWwmWOyT9Pa qUcFHYSjbgnLDlZ 9kvKEmJe892I0zT 7fE6biOhfv5ko3y VryS69mDe7xmAzI vRjrgrZ6DDkqafW 7YjOtoOysyCo4KB 3ebZC6v69S5OVJb W8T09IucfZiV9x1 OiLL2N1L3brTI7A 1K5p0fbkVP4tMsF iPrBACCkXxc1xF0 QYjtG0kgwfPoM. END SALTPACK SIGNED MESSAGE.

Does that help?

[StefanKarpinski]

That does help. Seems like this verbatim explanation would be an excellent addition to the docs.

[gabriel]

Yeah I think these are great suggestions. The documentation is very geared toward the technical, which was sort of purposeful, in that I wasn’t sure it was ready for widespread adoption. So that could be way better. Also having some of the functionality available as you mentioned via the website (search especially) would be good. But I’m not full time on this project so progress might be slow. Thanks for the discussion!

…

On Tue, Apr 13, 2021 at 9:33 AM Stefan Karpinski ***@***.***> wrote: That does help. Seems like this verbatim explanation would be an excellent addition to the docs. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#157 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAU3MRFWM4SKYWQ76ONODTIRW55ANCNFSM42JN6TPQ> .