yarmo/yarmo.eu
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improve blog post
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Yarmo Mackenbach 2020-06-17 12:02:42 +02:00
parent 8592e69a82
commit 201baf84fe
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/blog/2020-06-17--opsv.md
View File

@ -105,7 +105,7 @@ You know me, "I despise privacy invasion." (hint hint).
This project directly targets a specific use-case of [Keybase](https://keybase.io).
It is possible to upload your public key (don't upload your private key…) to the Keybase servers. When you sign a message using your private key, anyone can verify that you wrote that message by simply using their [verify page](https://keybase.io/verify). It's really simple to use, but you'll notice something is missing: a field asking you which key to use for the verification. What Keybase does is check the message against all of the keys it knows about and then let you know which of it users wrote and signed that message.
It is possible to upload your public key (don't upload your private key…) to the Keybase servers. When you sign a message using your private key, anyone can verify that you wrote that message by simply using their [verify page](https://keybase.io/verify). It's really simple to use, but you'll notice something is missing: a field asking you which key to use for the verification. What Keybase does is check the message against all of the keys it knows about and then let you know which of its users wrote and signed that message.
It is my humble opinion that this is an anti-pattern. By not being able to verify against a single key, you open the door to impersonation: I can make an account named `j0hn` and pretend to be `john`. If I write a false statement and sign it with `j0hn`'s key, Keybase will gladly tell you that the message is legit and signed: it is, but by the wrong person. It is up to the user to then investigate `j0hn`'s Keybase account and figure out if it belongs to `john` or some bad actor.
@ -125,4 +125,4 @@ If open statistics or any statistics at all is not to your liking, please do let
## Final words
I hope you like this project, I know I do and I will use it. OPSV allows me to use signed messages more and provide a simple way to verify its authenticity without relying on big evil corporations.
I hope you like this project, I know I do. OPSV allows me to use signed messages more and provide a simple and secure way to verify their authenticity without relying on big corporations. This is our web, so it's also our duty to keep it secure.