[Angostura]

> In order to give everyone confidence that the people shown in the Keybase are who they say they are, Keybase encourages users to attest to their identity cryptographically on social media. Keybase is its own social network, but it’s not one for sharing pictures of food or sad status updates. It’s a place for Mary to say “This really is Bill” and for Bill to say “this really is Mary.” With enough attestations like that, it becomes really hard for people to pose as someone they are not.

Doesn’t this sound like a nightmare in terms of social engineering attacks?

[niftich]

The quote from the article is the writer jumping through some creative contortion to try to explain keybase prove [1] feature to a layperson.

The idea is to prove control of some social identity; then correspondingly, others on Keybase will have increasing confidence that the person in question who has proven a few third-party accounts is indeed the same person. This doesn't mean that that person is actually-actually George Washington (which is a much more difficult problem to solve), just that the person who purports to be George Washington on Keybase does indeed control some accounts on Facebook, Twitter, etc, so if you would have vested some trust into their Facebook identity, you can vest at least equivalent trust into their corresponding Keybase identity.

[1] https://keybase.io/docs/command_line

[captn3m0]

If your social account (twitter/..) gets taken over, you'll have to publish a new proof on it, which will then need to be attested by multiple people, before it becomes trustworthy anywhere.

[egwynn]

Right. Plus your KB identity will still have all of your other online identities vouching for it. So an attacker would need to commandeer a large fraction of your accounts in order to get people to trust the fraud.