2018-08-25 Identity, Keybase, Verification
Recently, @kaniini had a good thread about identity verification. Basically, they donât like Keybase. I used to like Keybase and then I discovered that I wasnât using them, ever. So now what?
What you want to prove is that the same person who controls these:
`https://kaniini.dereferenced.org/` `https://github.com/kaniini`
Also controls:
`https://pleroma.site/users/kaniini`
I think that is correct.
Links in that thread:
- rel="me", the solution using this attribute in bidirectional links to establish equivalence, on the Micro Formats Wiki
- Distributed Verification by Kevin Marks, on how âverificationâ works
- The Real Deal About rel="me" by Martijn van der Ven, on building a verification graph
And Kaniini is right: âKeybase represents more of the centralization of the web that we must resist.â
I guess the use case for Keybase still exists. Itâs just that baking the graph of identities into our web would work just as well.
As I was looking into issue #121 I realized that Mastodon already does this: all links from your profile already have `rel="me"` added. So if my profile links to this blog and this blog links to the profile, Iâve established that weâre the same person! Yay!
â#Web â#Keybase â#Cryptography â#Mastodon
Comments
(Please contact me if you want to remove your comment.)
â
Iâm not entirely sure I see the harm in the amount of centralization keybase produces. Hereâs my thought process:
If people have multiple identities (e.g., Mastodon, Reddit, HackerNews, Twitter, LinkedIn, etcâŚ) then they have three options to verify those identities:
- They can link every identity to *every* other identity. This gets very cumbersome as the number of identities grows and the number of required links grows exponentially.
- They can link every identity to some other identity and let verification require following a chain (âI know that this Mastodon users owns that Reddit account, which is by the same person as this HackerNew account, which is linked to this other LinkedIn account. Thus, I know that the Mastodon and LinkedIn accounts are linked.â). This seems equally cumbersome, but shifts the burden onto the verifierâwhich seems even worse.
- They can use a hub-and-spoke model. (e.g., all my accounts link to my blog, and my blog links to all my accounts; this lets you verify my account ownership by following just a couple of links).
Of these three, Iâd say that the hub-and-spoke model is the best. But that prompts the question: where should the hub be? If we lived in a world where everyone had a home page (I wish!), then our personal home pages would be the natural hub. But, since we donât, keybase seems to be stepping in to provide that hub function.
A couple of further points: Because *all* keybase does is provide a hub, it would be fairly easy to replace. In fact, I already use my website as a hub, in that it links to all my other profilesâkeybase is a secondary hub that increases discoverability/credibility (to people who donât understand the tech enough to trust the other hub). And if someone else wanted to create a keybase alternativeâwhich they probably shouldnât call freebaseâthen it seems like theyâd be able to pretty easily: Keybase doesnât create/own the links in the chain, just one central hub.
So, bottom line, Iâm agree that keybase is centralizing things to an extent. I think itâs not *that* useful for people who already maintain personal websites. But, despite that, I think itâs not (that) dangerous because itâs natural to have *some* hub, but hubs are alsoâby their natureâpretty replicable.
But Iâd love to hear where Iâm wrong about any of that!
â codesections 2018-09-03 13:34 UTC
---
I think itâs all about switching costs and capture: if we all use the same site, then suddenly the site is valuable: weâd never be able to switch everybody away, no matter how easy it is. If Microsoft buys the site, if finances fail, there are always risks and why but everybody on the same boat?
But Keybase also solves other problems, like maintaining a list of accounts youâre following. Also valuable information that is unrelated to the primary focus of this discussion: identity. So if weâre all in this one boat, the value of the boat is not only big because weâre all there, itâs even bigger because an entirely different class of attack can be fielded against us: a network analysis.
But all being on the same hub, weâre just making it easier for evil doers and weâre making ourselves more vulnerable for rare disasters (think The Black Swan: The Impact of the Highly Improbable).
The Black Swan: The Impact of the Highly Improbable
Thatâs the only argument I have. The fact that there are other ways to establish identity, and silly ways of setting it up, doesnât affect the main point: this is not resilient.
â Alex Schroeder 2018-09-03 13:46 UTC