[RasputinsBro]

> You put your public (and private if you want) pgp key on there. Then you make public posts on your social media signed with that key. This way, you show everyone that you own these accounts or websites or whatever.

If I don't want to give keybase my private key, which I obviously don't, how can it sign my tweets?

What is even the use case of signing my tweets? Presumably if I can access my account, t's me. There's only two alternative scenarios: someone hacks my account, or twitter is trying to screw me. Is there really a use case for this? Other than a few very high risk individuals, I don't think there's a point in signing tweets.

One of us (or both) is missing something here :D

[wolfgang42]

Keybase is primarily about signing linked identities, not content--you don't (and, AFAIK, can't) sign individual tweets with it. Rather, you sign one particular tweet which links your account to a Keybase identity. Someone who knows you on Twitter can use that to verify your identity on Keybase, and then transitively on other services such as GitHub, HN, your website, PGP, etc.

In addition, it also has some additional features to make cryptography slightly easier for the layperson, such as support for PGP through a web UI: this is why you might want to upload your private key, though they make it clear this is a bad idea in high-security situations. For all of the core service, Keybase generates various 'device keys' which sign these identity verifications, the private keys for which never leave the users' computers.

[ameliaquining]

You've got it backwards. The point of Keybase is to replace PGP web of trust with a more human-friendly system based on proof of control of social media accounts (and/or domain names, and/or various other things).

The idea is that you tweet a message that's signed with your PGP key, then publicly register the URL of your tweet on the Keybase server. Later, when somebody requests your public key on Keybase, the Keybase client also requests that URL from the Keybase server, then scrapes it, verifies the signature, and tells that user what your Twitter handle is. That way the user knows that the owner of that private key is the same person who owns your Twitter handle.

Obviously this isn't secure by itself against a compromise of your Twitter account, but if you do this with multiple social media profiles (and/or domain names, and/or various other things), then the proof of identity becomes stronger. And there are some additional security measures based on timestamping and cross-signing.

Documentation: https://keybase.io/docs/server_security/following

[RasputinsBro]

In other words, "a website that has people accounts and they can like other website's accounts".

[robjan]

> If I don't want to give keybase my private key, which I obviously don't, how can it sign my tweets?

You don't sign all of your tweets. Just one which proves that the person who owns the keybase account also owns the twitter account in question. Through transitivity, you can then prove that you are the same person who owns a particular facebook/github/HN account if you also sign a post on those services.

> Presumably if I can access my account, t's me.

That proves the person logged into the account is authorised to log in, not that the owner of the account is a particular person or the same person that owns another account on another service.

[RasputinsBro]

> That proves the person logged into the account is authorised to log in, not that the owner of the account is a particular person or the same person that owns another account on another service.

Keybase can't know who the person logged into the account is either. But they can tweet, and so keybase will tell everyone that the twitter account which has signed tweets using my private keep is tweeting.

[robjan]

> Keybase can't know who the person logged into the account is either. But they can tweet, and so keybase will tell everyone that the twitter account which has signed tweets using my private keep is tweeting.

This is true. In the scenario where the account is compromised you are supposed to revoke the signature.