Hacker News new | ask | show | jobs
by Leace 2238 days ago
> Personally keybase is the only project that may provide some form of alternative, but they do so by supporting pgp.

Why keybase? Reading their crypto page (https://keybase.io/blog/crypto) leaves the impression that they took PGP and embrace-extend-extinguished it...
1 comments
qqii 2238 days ago
I'm not endorsing keybase, in fact I have much of the same criticisms as you probably do.

The fact is unlike many PGP replacements most don't attempt to solve similar ideas as the "web of trust". For those that I know do, the cryptocurrency/tokens one's don't even consider backwards compatability. As far as I know keybase are the only ones that embrace PGP and are therefore backwards compatible with git, fossil, etc's commit signing.

It may be ignorance but I don't see linux, git or any other software project that "needs" both version control and verifiable commits moving from PGP signing to something else, but rather PGP signing dying out with the rise of git platforms like github, gitlab, etc. If you squint you can see that keybase provides some form of alternative.

link
Leace 2238 days ago
To be honest even PGP signing has some issues: it's not clear what does it mean to sign a commit and there is plenty of misuse of that (see [0], `git push --signed` solves some of these issues).

Git patch workflow doesn't support signed commits and some kernel devs explore alternative ways of signing [1].

[0]: https://mikegerwitz.com/2012/05/a-git-horror-story-repositor...

[1]: https://people.kernel.org/monsieuricon/introducing-b4-and-pa...

By "keybase providing alternative" do you mean that they have hosted, encrypted git repos?

link
qqii 2238 days ago
I now see how my original wording is confusing. I'm using git not as the specific case here (albeit interesting) but as an example. From my understanding keybase attempts to solve some of the more questions in your first link, simply 'r/commit/post/g'. For example:

> He certainly knows his own posts, but how should others know that this “Linus Torvalds” guy who has been posting and commenting on posts is actually Linus Torvalds?

Perhaps that makes my other comments more clear?

link
Leace 2238 days ago
Yeah... I guess a little bit it does. Keybase offers an alternative to Web of Trust that kernel.org itself uses (https://www.kernel.org/doc/wot/). Keybase solution is having multiple social-proofs instead of the Web of Trust. Sadly this is unnecessarily centralized but I've seen approaches to implement Keybase-like social proofs systems in pure OpenPGP: https://github.com/wiktor-k/openpgp-proofs#openpgp-proofs
link
qqii 2236 days ago
Ooh, I've not seen wiktor-k/openpgp-proofs before. Too bad it doesn't have more adoption, as I like it's solution to keybase's centralization.

Sadly neither project has an elegant solution to private accounts or services. IRC usernames and Signal are examples of the second. For private accounts, both solutions need specific tool integration, cooperation between services, or more manual interaction by the user. Ideally, a new internet standard would be created and adopted, but I really don't see that happening.

As someone who's put thought into this, I'm wondering what your thoughts on this are?

link