[squashmode]

I agree with the statement in the article that the current Web-of-Trust model is broken. I think that is one thing that the folks at keybase (keybase.io) understand, and I like their model. I like it enough, in fact, to actually use it, something that I cannot say about GPG despite having tried it on numerous occasions over the years.

GPG is proposing going to a TOFU model (trust on first use, much like ssh works). I'll be curious to watch if that takes off, it seems like a step in the right direction.

I think 'trust' as a concept is difficult to codify into a protocol. What alternatives are there that would be better than what keybase.io does, or what GPG is proposing?

[dward]

Last time I tried to use keybase it required me to paste my private key into a browser before using any of the advanced features like chat. This seems unnecessary and doesn't make any sense from a security perspective. Has the situation changed? I won't use their service until this is fixed.

[jonafato]

If I recall correctly, you can choose to let keybase store your password-protected private key for the purposes of decrypting messages through the website, but that's not required, and the advanced features (e.g. chat) don't work without a local install. Everything that can be delegated to the app (GUI or command line) generally is. The keybase team seems to take this quite seriously, and they've had documentation on how to use the platform without giving their servers any information since at least when I joined in early 2014.

Give it a shot, it's quite painless as far as crypto products go. You can always choose not to use it if you decide it's storing too much information. Happy to provide an invite if you (or anyone else) needs one.

[jmcqk6]

I'm curious about your statement that you're using keybase, but not GPG. If you're only interacting with others that are using keybase, I assume that's possible, but if you're interacting with others, you're going to have to use GPG, right? Keybase can handle public keys, but your private key is yours. Or am I missing something?

[WorldMaker]

Keybase has increasingly moved to its own crypto model that isn't GPG backed. Even in cases where "traditional" PKI RSA and ECC curves are used, it doesn't use the GPG tools anymore and instead other open source implementations.