-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How does Keybase verify the ownership of the PGP keys? #3735
Comments
It can, at the same time, import the secret key if desired, locally, for use with just that one device.
|
@Brianetta Thank you so much for the quick answer, so the idea to self-sign the public-key with its private-key and push the signature to the server and the server then verifies the signature with the publci-key, am I right? is there a detailed example of this in some docs or the piece of code in the go client repo which does this? I'd be totally grateful since I am barely exploring of how keybase works |
Like any proof, the signed statement ends up appended to your sigchain. I've no idea what the server does, but the onus is on the client to verify all proofs. So, some other Keybase user wanting your PGP pubkey will be able to get it from your sigchain, and at the same time verify a message signed by that key and your Keybase key. I have several PGP keys. Here's my most recent proof of one: |
@Brianetta thanks! but my question is really about how can I or the server can verifiy that YOU really own that PGP key? you only signed with your device secret key that you have that public key. But you didn't prove that this public key is owned by you if I am getting the sigchain correctly. I mean at least the server needs to check self-signing the PGP public key to verify that you really own it. Right? |
It's late and I'm not looking closely, but signing all of my PGP proofs required me to give GnuPG my secret key's passphrases. I'm pretty sure there's a PGP signature involved. I'll take a look sometime after I wake up tomorrow.
…On Wed, 18 Dec 2019, at 11:52 PM, gh67uyyghj wrote:
@Brianetta <https://github.com/Brianetta> thanks! but my question is really about how can I or the server can verifiy that YOU really own that PGP key? you only signed with your device secret key that you have that public key. But you didn't prove that this public key is owned by you if I am getting the sigchain correctly.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#3735?email_source=notifications&email_token=AAFPXSJJYUOJL3M6WOH7XDTQZKZUZA5CNFSM4JWB77OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHH4PEQ#issuecomment-567265170>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFPXSMPBP4GPVWZ5YVU4NTQZKZUZANCNFSM4JWB77OA>.
|
I am new to keybase and I found the client codebase pretty huge to get the answer of my question, but how does keybase verify that the client-generated PGP keys are actually owned by the client? does the server sends some challenge encrypted by the claimed public key and waits for the unencrypted version or what exactly?
The text was updated successfully, but these errors were encountered: