|
|
|
|
|
|
by nindwen
2378 days ago
|
|
|
I don't know why it seems odd to you, it is literally what Keybase has been about since its start: the point is that you can bootstrap trust by linking to multiple already known identities (like twitter, hn, github) in a secure way. Even if you dislike all the other things Keybase has done since, this is a significant improvement over web-of-trust or TOFU. It should be trivially verifiable by yourself: just watch what requests your device is making. And the app itself is open source, so you should be able to trust it. |
|
|
---
> It should be trivially verifiable by yourself
Yeah sure, once you realize that third parties are required for security.
This shifts the root of trust from just Keybase to Keybase + a third party. That's not quite what I would call end to end encryption, at least not if there is no fallback to checking the keys manually. That's just not what the word means to me, even if the risk is sufficiently low that I guess it can be considered equivalent.
So I'm not saying it's a bad thing. If indeed all chat apps had such a scheme where third parties vet the keys, i.e. if it were commonplace to have to compromise two or more companies' servers before you can MITM someone successfully, it would be a huge improvement over the current state. Keybase is definitely being innovative here. It's just not how it's marketed (namely as being a secure chat in and of itself), and I hadn't realized that this might be what they mean when they write "end to end encrypted [but only if you sign up with a trusted third party!]".