In general I find Keybase to be a step forward in user experience and two steps backwards in terms of actual security. They just don't seem to care about the latter at all and have not demonstrated any cooperation with standards bodies like the OpenPGP working group where members have expressed interest multiple times in adding generic URL uids to the openpgp public key itself to replicate and decentralize the idea of social media based trust bootstrapping (the one good idea from Keybase in spite of terrible execution). Instead they insist on their complex proprietary walled garden system that does not integrate with existing keyservers and throws everything on the bitcoin blockchain for reasons.
Keybase has become the IE of crypto and I can't take any security project seriously that even -integrates- with them.
Honestly, the OpenPGP world has so competently failed at usability and is only adopted by the most hard core of nerds. Even I have stopped using it for the most part.
And that it is two steps back in security overall is just not true. Maybe in some individual features that you care about, but not in general.
And the same thing counts that always counted, crypto that nobody is using is not protecting anything.
The have mostly moved on from GPG any a different libraries now. The GPG is mostly a legacy feature.
This seems pretty inaccurate.
* Lots of software projects sign their releases with PGP.
* Almost all Linux distributions sign their software with PGP. If you use Linux, your security relies critically PGP.
* Github has support for PGP, and I see people use it.
* My random server hoster happens to sign all their emails with PGP.
You could claim that all these systems are run "by the most hard core of nerds", but at that point the statement loses its relevance.
There's only one thing that's worse. Crypto that people think is protecting them, but which isn't.
For the most part Keybase crypto is modern, effective and easy to use.
Also there are projects in the OpenPGP world making very easy to use workflows and interfaces without centralizing or breaking standards. OpenKeychain for android is a fantastic example of this.
I use OpenKeychain on my phone and can sign files, access passwords, or decrypt email by tapping my yubikey to it. I can tap someone elses key to my phone to import their key to my addressbook. No terminals or fuss and at no point does any key come in contact with system memory of any device involved so I have strong assurances it can't be stolen even if my phone is totally compromised.
A big example of the 2 steps backwards of keybase: they use keys in system memory and abandoned any compatibility with the openpgp smartcard spec, yubikeys, etc. The industry is moving to smartcards for very good reason: malware is a thing and it can use/steal keys from system memory without user interaction. A key stored in a yubikey 4 OTOH never touches system memory and requires a physical touch for each operation.
You can have usability without throwing out security and standards. Keybase is just another in a long line of companies ignorantly throwing out any security features they don't understand using usability as an excuse for bad engineering.
It seems GnuPG and "the ecosystem" is slowly moving to WKD (Web Key Directory) as it is easier to deploy (e.g. kernel.org is using it).
If you put your binary key (gpg --export 36C8AAA9) at https://lrvick.net/.well-known/openpgpkey/hu/gfoh5t79df9raqt... tools would retrieve it automatically when using your e-mail address (gpg --locate-key $EMAIL). (I got the hash by running gpg -k --with-wkd 36C8AAA9).
This is supported by GnuPG, OpenKeychain and some e-mail clients: Enigmail, GpgOL (Outlook) would fetch your key in background when someone is writing an e-mail.
For details see: https://wiki.gnupg.org/WKD#Implementations
The spec: https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-s...
Don't you know? There's a rule that all cryptographic software must be arcane and obscure and virtually impossible to use correctly by anyone other than obsessive nerds.
For the record it soon may be possible to use native GnuPG through the browser extension:
> Installer: New optional module "Browser Integration" to register GnuPG as backend for Mailvelope 3.0.
But given Keybase's track record I already know they're not interested in that.
Guess what, other people like me just realized that Keybase was not designed to be used like that and didn't use the smart-card together with Keybase.
I guess you can fault them for not saying that explicitly but since the made no mention of smart-cards and didn't evolve the security model in that direction it was pretty clear that that was not what they were about and therefore I did not expect it to be optimal to be used like that.
Is that a normal thing to do on github?
...this actually looks like a potential security weakness that was purged from the public space. (CWE-921)
They are contributing to an IETF protocol (“MLS”) for E2E messaging, which is a long-term path to messenger interoperability.
I remember when we had that before E2E was popularized, it was standardized, and then walled gardens broke their interoperability in the name of (claimed) better user experience and user numbers.