Delivery-Date: Fri, 26 Feb 2016 15:39:43 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 3E6B71E0512;
	Fri, 26 Feb 2016 15:39:41 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 68CB039827;
	Fri, 26 Feb 2016 20:39:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 591F23982C
 for <tor-talk@lists.torproject.org>; Fri, 26 Feb 2016 20:39:31 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id XTrkbysL4x_N for <tor-talk@lists.torproject.org>;
 Fri, 26 Feb 2016 20:39:31 +0000 (UTC)
Received: from mail.witmond.nl (unknown
 [IPv6:2001:980:71b2:1:6887:4dff:feed:7c36])
 by eugeni.torproject.org (Postfix) with ESMTP id ED4E939445
 for <tor-talk@lists.torproject.org>; Fri, 26 Feb 2016 20:39:30 +0000 (UTC)
Received: from [IPv6:2001:980:71b2:1::6] (unknown [IPv6:2001:980:71b2:1::6])
 by mail.witmond.nl (Postfix) with ESMTPSA id 90A0BC0684
 for <tor-talk@lists.torproject.org>; Fri, 26 Feb 2016 20:31:50 +0000 (UTC)
Message-ID: <56D0B632.40305@witmond.nl>
Date: Fri, 26 Feb 2016 21:31:46 +0100
From: Guido Witmond <guido@witmond.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Icedove/31.8.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <56CC3191.1000402@beroal.in.ua> <56CCA590.5020506@witmond.nl>
 <56CCAA26.8070609@beroal.in.ua> <56CCC954.6080102@witmond.nl>
 <CAB7TAMmRBgO2FPvV8rpW7ZaWZ14hbvQ_3NZyhENi4bN1aKDBuw@mail.gmail.com>
 <56CCE201.7070706@witmond.nl>
 <CAB7TAM=kJZG=8eEka2sNBjyh-T7omJ7B1oBga--eDej6F_1-=A@mail.gmail.com>
 <56CE28F7.4040800@witmond.nl>
 <56ce2e4d.8518370a.50ae9.ffffb299@mx.google.com>
 <56CE3C0A.1060702@witmond.nl> <20160225005853.GP57127@vpn212046.nrl.navy.mil>
In-Reply-To: <20160225005853.GP57127@vpn212046.nrl.navy.mil>
Subject: Re: [tor-talk] Tor for everyone;
	introducing Eccentric Authentication
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7801972869531380528=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7801972869531380528==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="uQb7De8NkVMCQD86NofrTbpsN3xUOtqwC"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--uQb7De8NkVMCQD86NofrTbpsN3xUOtqwC
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 02/25/16 01:58, Paul Syverson wrote:
> On Thu, Feb 25, 2016 at 12:26:02AM +0100, Guido Witmond wrote:
>>
>> I don't want *people* to exchange keys. I envision people to exchange
>> names and let computers do the key lookup.
>>
>=20
> The description below sounds a fair amount like Keybase (https://keybas=
e.io)
> Perhaps it would be helpful to contrast your goals with theirs?

Hi Paul,

All from cursory reading:

Both Keybase.io and Eccentric Authentication share the same goal: Crypto
for everyone!

But there are differences:

1. Technology

- Keybase uses PGP, Eccentric uses X509;
- Keybase uses the Bitcoin blockchain as trust anchor, Eccentric uses
DNSSEC and a separate verification service like Certificate Transparency.=


2. Model

- Keybase has a person centric key model:

Even though people can have multiple private keys, these are connected.
Each user has 1 identity. That means, every message sent is attributed
to the person.

In this model, each of the actions strengthens the faith in the relation
between the key and the identity.


- Eccentric uses a key model where each user has many keys:

Each of those keys is an identity, tied to the site that signed it. Keys
cannot be shared between sites. This prevents linking of identities
unless the person reveals it. Or if cookies betray him.

In Eccentric, people are advised to use a throwaway identity whenever a
site requires an identity. In Keybase, it's much harder to remain
anonymous as I expect sites to encourage linking your account to your
identity.

3. Central / Dispersed

Keybase uses a central repository for all key/identity announcements.
This makes them a single high value target.

Eccentric uses a single CA per site. There is no central repository. The
risks of compromise are spread out. With some proper use of subkeys, the
scary part of key management can be outsourced to a service provider.

4. User Security

Keybase provides confidentiality of the message contents but as it uses
existing email transport, neglects meta data protection, in fact it
gives up meta data protection to gain stronger ties between usernames,
keys and identity.

Eccentric offers much stronger protection of meta data and equals
protection of message confidentiality. With Eccentric it's harder to
assure a certain key belongs to an author of a publication.


There's probably a ton more. If I made any mischaracterisations of
Keybase, please enlighten and forgive me.

With regards,

Guido Witmond.




--uQb7De8NkVMCQD86NofrTbpsN3xUOtqwC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJW0LYyAAoJEHPd8GglaNRmhiYP/Av0YBfhD0/qpbf9H1yVZm0K
nIVScOR3ah/rAzefF8tgSoboj8Y66BukXAsCpAzz/slX+iIqo2U6QUgT2Iy5CRZV
Y9tHIk2Dyi0LltqUvzqrJ6lEv41FMZmm++wrkCq9ch4i1zZo3aumYOUCb46IO7Yy
k4jMc1uIShsdDRSLd4x5VuMnUjnQtK87KsQI3iclqGRMy+TE2qCCPeipHYaxN0ng
oPW6+6KNI/+rHfdIqLK/sx8o5Wjjd+uFVp7B7lTp/muqf232UK/lf49u3GkcXkd+
gms/byLbW+770UAjerBdIap0f06/HSs5YVNJTaH6QfZi0R7zxcnx0wpN7h9LuLkV
ZIqyi0xjdhXkn4rlRHFj7gJHB6sq/lwiM+Q0aw5Qn0mRlQo/vvli3Bsqryi3rzLo
Xqb58c7qxsFjTYdCCHXto+j6Kj8z+HxHlDGXdoM93kxTn1hmTAd6hG4rv3e8pV3Y
zFdrkMbBdTmMZdR7DB5JwDcd/E3b4+/HqyvKpgUNJejLp0L1N7HY103v+HJ6C4ya
78B9dvsxiWFwRl6vDIJtTXjgYqohOwx4cOuGGt/qdJ1hjkj7CFoE+GfT68NHHsYg
DUkYUXBfWFTYnEC7rK3o8VFqcRO4Br+pfMpjfOcxrTpvVB49Y6cmh1CYasXUbakq
6ssToxuPr4LJGiHJ7Vfk
=iYRd
-----END PGP SIGNATURE-----

--uQb7De8NkVMCQD86NofrTbpsN3xUOtqwC--

--===============7801972869531380528==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============7801972869531380528==--

