[WorldMaker]

«I don't really get what keybase.io is supposed to solve»

Keybase was built to solve the "web of trust" bootstrap problem [1] by leveraging the web of social media profiles a user typically has with simple replicable proofs of social media identity.

[1] Arguably the hardest problem in PKI: how do you get user to trust that a public key is for the right person? In the classic PGP/GPG web of trust you do things like "key signing parties" and physical in real life interactions and deciding your threshold for how far you trust the friend of my friend signed this key. In the Keybase model you can see that the key (or family of keys) are tied to a certain combo of Twitter, Facebook, HN, et al accounts/profiles and generally trust that the person with all those accounts is the person you are trying to communicate with.

[snassar]

Fair enough, when it comes to coming up with creative ways to solve the web of trust problem.

I still do not know what problem keybase.io solves when they allow uploading of private keys.

[WorldMaker]

That would be the second hardest problem in PKI: key escrow and key management. The answers to the questions most average users have like: What do I do if I lose my machine? If I'm logged in from the library or work or my friend's PC? If I use multiple machines every day?

When the "right" answer includes "Print out this long thing, put it in a safe deposit box, and pray you never have to type in this long string of numbers", you immediately lose a lot of potential users; it doesn't quite fit the "Grandparent test" (could your Grandparent use it?).

Absolutely there's a trade-off in trusting a 3rd Party key escrow, but there's an immense usability benefit to average users that want something easier to do and "some security" really can be better than "no security", even if a lot of hard-line paranoid wonks have good reason to believe otherwise.

[dublinben]

My grandparents don't even use email. I don't think we should be setting them as the lowest common denominator for security. Some things that are worth doing require a little bit of effort.

[WorldMaker]

You have have to consider the lowest common denominator in security. You're security it's only as good as your weakest link. Say you have an emergency and your grandparents need to email your PII to a hospital. Can they do it securely? You need to email some PII to them. Can you do it securely? Some security for all is better than no security for most, hence the "grandparent test".

[dublinben]

I think it would be even better if we could design systems where it isn't even necessary for a family member to "email your PII" to anyone. That's a terrible idea in almost any situation, regardless of your security.