Over the last couple of weeks, a startup called keybase.io has been making the rounds, promising a much simpler take on PGP. A more humane interface on GnuPG, visual design by a renowned artist, even a web interface for your crypto. Fantastic, right?
Yeah, I can't get on board. And I really hope you won't either.
Admittedly, OpenPGP needs an interface that doesn't take a week of research to understand. Starting with "What's OpenPGP? Is that like the PGP 6.0? And GPG is different, right?" And then using any of the existing tools requires that you really understand the whole protocol, maybe back to the basic maths underneath. So where probably everyone in a mature digital society should be using cryptographic tools, the reality is that only the particularly paranoid (that is, international journalists and cypherpunks) really do.
So there's definitely an opportunity for everyone to benefit. And Keybase is capitalizing on that opportunity. If you don't know what I'm talking about, the site is here.
Here's the problems I see with Keybase:
You Don't Roll Your Own - And You Don't Have To
First, they're reinventing well known parts of OpenPGP. A public directory of publicly auditable keys? Allow me to introduce PKS (an example server) - a decentralized system for distributing public keys. Associating your key with a public identity? For email addresses (oh, wait, those are also globally unique user ids...), we match up user ids on the key. For other accounts, there's a system called "annotations." This is all built into PGP, and people, paranoid, technical people have been using it for decades.
And that's not a "well, they got there first" sour grapes complaint. There's a principle in computer security that you don't invent your own crypto. Which is exactly what Keybase is doing. They're using GnuPG under the hood, certainly, but they're distributing keys and associating them with public identities over a brand new, unreviewed protocol. That's troubling.
So it should be possible to write an all OpenPGP implementation that does everything that Keybase does on the command line ... without the central Keybase service.
That's Not Authentication
But the next problem is: should we do that? Keybase's pitch is that rather than use a web of trust (which is a tricky concept) let's pair up our public keys with public identities so that we can see that @yourfriendontwitter is also the owner of this particular public key. That's a cool idea - now we can skip that whole perl-mediated key-signing geekfest and use Web 2.0 tech to identify one another, right?
The limits on that identification are two-fold: First, the certainty with which we know that e.g. tweets are sent by their purported senders is limited by the security of Twitter. (I think there's heavy irony to how much the Keybase "Verifying myself" toots look like "you've been hacked" spam.) Second, all we are actually learning about the holder of the key is that they can also tweet as @yourfriendontwitter - not that they're actually your friend on Twitter, if you see what I mean.
I think there's a reason that the Keybase example pages use as examples messages about meeting up for drinks - you probably shouldn't trust a key you identified via Twitter about matters more weighty than you'd themselves discuss on Twitter.
By contrast, the goal with PGP is that you can extend the human trust of meeting someone face-to-face to communications on line. When someone who's key you've actually signed as a result of them presenting it to you in person signs an email with it later, you can trust that email as if they'd said those words to you in person. Otherwise, it could be anyone.
If They're Not Doing This Right...
As an analogy, if you went to a new bank, and they started talking about "vig" instead of APR, or the locksmith who came to your house was "Bondo-ed," or your doctor told you medical science has no way of knowing where the heart is you'd start to wonder if you should do business we them, right? That's how the Keybase pitch sounds to me.
The best light I can see that in is that they're well meaning, but simply unqualified to design and run a cryptographic system. I imagine two undergrads starting a bank in their dorm room. But I worry that this is a social engineering attack on a grand scale - that they know exactly what they're doing: they're using a slick interface to draw in an initial group of tastemakers, until they have the Facebook of online security (with all the connotations of "having to be on Facebook"). Meanwhile, they're collect key pairs and subvert the meaning of authenticating a public key to the point where they can have severe impact on secure communications down the line.
Even if the founders well meaning, there's always the possibility that they make an exit, and the next owner of Keybase is evil. Imagine your personal communications being read by your least favorite corporate or governmental entity. Wasn't that exactly why we were using PGP in the first place?
Where do we go from here? I think Keybase does have a point: The user experience of public key cryptography is abominable.
It's a tricky subject though, because slick GUIs are really difficult for the any one user to verify that it's doing what it says it's doing and nothing more (like uploading your key somewhere...) But the command line has gotten a lot less scary to a lot more people, thanks to a raft of powerful web tools. In a related move, command line tools have gotten much more friendly than they were back when gpg was written.
So I'm proposing a set of curated shell scripts that wrap gpg to do a small set of common tasks. Ideally, they should cover the most useful subset of gpg operations, and be simple enough that anyone interested should be able to review them and satisfy themselves to their innocuity.
I need help though - I only use one platform for my computing, and I'd want to be sure that the scripts ran as close to everywhere as possible. Also, I have a bad habit of using words like "innocuity," so I could definitely use help with the documentation.
Update I've actually started the set of shell scripts. There's a public repository here for the interested. I would love to see contributions. (N.b. the code is public domain.)