Keybase-style social media proofs
Closed this issue · 7 comments
Since Keybase was acquired by Zoom, I've been looking for alternatives, and I randomly found this project.
Overall, I think this is a pretty good alternative, but it lacks one of the most important featues that Keybase has: proofs and verification. The biggest hurdle is that since Keybase verifies proofs cryptographically, PGP integration would be needed for the same level of security. Of course, you could simply just require accounts to link back to their wheretofind.me profile in order to be verified, but I don't think that would be a good idea.
Thanks for the input! I have a lot to say about this, so settle in!
Yeah, right now we're relying on folks linking back to assert identity more strongly. We've had some discussion over at #111 about some similar issues, too. I'd love to move this into that space, but I don't have the spare time to dig into it right now, and probably won't for a few months. If you want to put in a PR that begins to move towards this, I'd be happy to work with you on it, though!
Keybase does a lot of things well, and UI/UX is one of them. I am OK with our first-pass being clunkier and more constrained than the full suite of Keybase offerings. So where I might start:
- Allow users to post pubkeys on their profile, but with some extra "please make sure you know what you're doing, we don't want to host or publish your private keys" stuff around it.
- Mark pubkeys specially in the database, because we'll be doing cryptographic operations with them and need to know what they are.
- Ask people to post a boilerplate message + signature to any of a defined list of services (probably starting with a subset of what Keybase has: GitHub, Facebook, Twitter, a domain you control that serves HTTP?)
- Set up a background task that can verify that signature against their posted pubkey.
- When that background job runs successfully, it can mark that identity for that user in the DB as verified.
Concerns:
- What if Alice posts a signed boilerplate message to her Twitter, and then Chuck puts her pubkey up here, claiming to be her?
- Unlikely; she'd probably put the pubkey up first before getting the idea to post our particular boilerplate with a signature!
- But we should verify uniqueness of pubkeys to identities.
- And maybe have a countersign on the boilerplate? So there's a random string that we've signed with our server's secret key so that you can't make a valid boilerplate message until you've asked us what it is you should post?
That's… the only concern I have so far. Gonna tag in @ojacobson in case he has thoughts on this, too.
Of course, you could simply just require accounts to link back to their wheretofind.me profile in order to be verified, but I don't think that would be a good idea.
Can you elaborate on that?
In April, we handled an abuse report. The details of our response are in that comment, and are worth a review. The allegation was that the wtf.me profile was created without the subject's consent; our determination was that it probably was consensual, and that the report was likely frivolous.
I relied heavily on a lot of things in reaching that conclusion, but two stick out and resonate with your point:
-
Because the accounts linked in the wtf.me profile carried shared signifiers - similar avatars, usernames, real names, friends lists, and so on, as well as things like background images and posting style - I concluded that the listed accounts were likely all the same person, and
-
Because at least one of the accounts linked back to the wtf.me profile, I concluded that the profile was likely created with their consent.
I'm curious whether your remark that back links are a bad idea for verifying accounts would suggest a different conclusion, or a different way of reaching the conclusion, in that case. If it does, that's something we should definitely consider for the future.
I consider the technical question of how we determine whether a profile or a social media identity is "Verified" to be way, way less interesting than the question of whether we want to be in the business of "verifying" identities. Right now, my leaning is towards "no," at least publicly; we have an obvious need for identity checking for abuse reports, but that's a special case and comparatively rare. If there's a strong case for sharing verification info with users, then yes, I'm on board with building a cryptographic option for doing so, although for UX reasons I wouldn't make it the only way to do so.
On the question of whether you want to be in the business of verifying identities, whether you want to include a green check mark next to identities on a user's profile, the answer would be no, unless you can meet the same standards that Keybase has for verification.
This is what I mean when I say that using backlinks to verify identities is a bad idea—it would mean accepting a lower standard of verification compared to Keybase, therefore making wtf.me less trustworthy.
As for the incident in April, I say that you needing to manually investigate a profile's social media accounts suggests ambiguity on whether profiles on wtf.me are legitimate. I would have to trust your ability to handle these sorts of issues with complete confidence.
Keybase doesn't really have this problem. The thing is about Keybase is that would needs to prove ownership of an account, as a prerequisite, before linking it to Keybase. This probably wouldn't be very feasible for wtf.me.
I say that you needing to manually investigate a profile's social media accounts suggests ambiguity on whether profiles on wtf.me are legitimate.
Absolutely. I'd even go so far as to say that that ambiguity is at the core of why wheretofind.me is a useful addition to the internet.
Identity, as modelled by wheretofind.me, is fundamentally about continuity, not about uniqueness. The site is built on the assumption that, as people move their social lives from one group of services to another and as services come and go, it is useful for people to be able to advertise "hey, I went over to this other account, and I also run these accounts." The design assumes that users will encounter a wheretofind.me profile in the context of being sent there by that profile's subject, from their own social media account, and that any trust the reader should have in the profile comes from that context, and not from the site itself.
In large part, the site's design is a direct reaction to the repeated waves of people abandoning Twitter as Twitter, Inc's policies have become more and more hostile to the communities we care about. A wheretofind.me link in a user's social media profile is considerably more durable and considerably easier for the reader to find and understand than a post somewhere arbitrarily far back in a user's timeline saying "hey, I set up an account on pillowfort if you want to follow me there."
Keybase social media proofs, on the other hand, solve a different problem. Those proofs express the assertion "if you encrypt a message with this key, only the people behind these social media accounts can decrypt it." (Or, if you prefer, "if you verify a message signed by this key, you can be confident it came from someone who can post to these accounts.") At that level, Keybase proofs augment/replace keyservers and GPG's web of trust to deal with modern social media, but they're fundamentally about key management and validation.
Wheretofind.me can be a key management service for social media. It's a subject that's come up in conversation a few times; the implementation is tractable, although I'm too cautious to call anything cryptosystem-related "easy." :) I'm only skeptical of using cryptographic identities to assert the validity of other identities on the same profile, as it's really beyond the mission of the site as I understand it.
I'm only skeptical of using cryptographic identities to assert the validity of other identities on the same profile
Oh. Well this is exactly what I was interested in 🙃, unless I am misreading this sentence.
When you say "key management service for social media," you just mean hosting a public key associated with some social media accounts, not necessarily generating cryptographic proofs for said social media accounts á la Keybase, right?