Keybase seeks to be a "public directory of publicly auditable public keys" with simpler usernames than PGP and verified account linking to popular sites such as Twitter and GitHub. This is awesome because "PGP for humans" is long overdue and because I snatched up the namespace liz.
Linking my verified public PGP key with Keybase was easy enough by using
gpg on a trusted machine and copying into their web client. I associated my PGP key with fingerprint
89CB 0766 5EB4 2515 EE7F 3FAA E0B9 3B4A 4E8E A664 to the username "liz", but this doesn't establish much in the way of my identity.
PGP's standard for establishing identity, the web of trust, is complicated and non-intuitive - I trust my friend Nelson's key, Nelson trusts Anders's key, Anders trusts Alex's key, and Alex trusts Ceres's key, so naturally, I should believe
9D06 536F FD85 F747 8846 CAAD 7688 4EEA 6E6D 80F4 is Ceres. Instead of relying on trusting a chain of signatures, the bread and butter of Keybase's directory is using accounts on popular and personal sites to establish identity. While this is arguably insecure because such accounts can be compromised (though so can PGP keys), I already have mappings from people to those accounts and am inclined to believe that their keys belong to them after they've established those accounts on Keybase.
Unfortunately, I couldn't find a way to securely establish @redroselet, lizdenys on GitHub, or lizdenys.com as "liz". Uploading a client-encrypted copy of my private key was right out - if a malicious attacker compromises Keybase's software, they'll have access to my key and could get my passphrase the next time I type it. The only other option is the Keybase command line client, which is already more appealing to me because I love living my life inside a terminal (really).
The Keybase command line client installer depends on
npm. The machine I trust with my PGP keys is running Ubuntu 12.04.4 LTS (Precise Pangolin), which is supported until October 2017. The version of
apt is 0.6.12, which is older than the minimum required version to install
keybase. This is unfortunate because
apt-get authenticates packages as an entity I trust because I trust my operating system. If I install a later version of
node, I either need to trust another party, whom I may not be able to easily verify as trustworthy, or build
npm from source myself, which requires that I understand how the
node source code and a packaging system I've never seen before works to my satisfaction. Beyond that, I couldn't easily figure out if
npm authenticates packages. It doesn't seem particularly safe for me to trust my valuable PGP keys to this system.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I'm liz on Keybase.io, and I'm refusing to verify myself. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJTOYAgAAoJEOC5O0pOjqZkiK8QAIhBS85fxa/W3q9yQUEKCuMy sWwWSaSEDDj494p86Rh6IvBMJfNxkkCLrW8RJr03Y4v2mCkCQ/n6i03ro2AvKZbt bHoDPL+dfqA5DVU7LOmy6WNXkX77eXGYkOAkWeWt/VLE9ZRmuGJJYXlvs04mgU1k hj1eN7eBP5VR6+Q4kse6o8+a/Yr71YE4w/4BWQbnL3vgqGnrmP836rbx1RnoEI5t 2+yYX++piIasbT1RJtbetJwcR2SBBpFlll9B1QFAIqxxJE+ccBzxXnwyW7OTQsFf ykMl0v2REFjCGaxyrluuVz6ZiXEu1FYYuO6TdJGUN3s3loRZ6a4MaF6u0l3qtNDi uVAQm5RK5lS6nt5W+cWkIZNtTewFItX8IvTx7MOpE5hdB+Qvj6IKQqkEYyrY+r43 drR3gYklQUAAoZwWlnjdkUSxYEM9/SO/AW6c5awJUXB1mcn5qCDXjsVioLWYtKDo fraKvZc0xMUktRBVG7e/8t1zu1O/ixvOo6aLMyuVIfsspy5XhXbR4STHBJzFOMoK 3AMpPIATdWFJOn35tZXWgjd7QFE46nTqZgK0co2QY60aWO2oI8lI9YLVMwHm6vyJ vhEZGyaJ9MPN5vbWc4tdjCNzU7tv1zUyUJNLtBQ1yWUaCJldQYW8AO1wUNpzbk79 RYEUUgRtrPKkb4Cdh/09 =s/8d -----END PGP SIGNATURE-----
My blog has a tendency to cover topics that run all over the place. It's come to my attention that it's currently reaching at least two completely different audiences. One of them is almost exclusively interested in my food posts.
To handle this, I've created a separate food blog, My Quaint Dutch Oven Family, and moved the food posts from this blog to that one. The name pays homage to my favorite kitchen helpers. Links to food posts at this address now redirect to their new locations on the new blog. I also get to better categorize my food entries on the new site.
I hope the split will encourage me to blog more. I'm exactly the kind of person who will become frustrated as their latest post dates get stale, and I'm excited about how that will make me want to write more.
Seeded from low entropy to become roughly 8 minutes long. "For possibilities."
Apologies for the clefs, but it was the least nasty way to span the piano.
You can grab a full copy of the score.