[oefrha]

I don’t enjoy the key management part of Keybase and don’t find it particularly strong, but why do you think the curl method is inscrutable? The entire payload (basically a JSON blob plus a signature) is there for you to see instead of a binary client that could do god knows what (even if you have the source code it’s probably harder and at least slower to understand than the final payload sent over the wire). I would say the curl method is actually the most inspectable one.

[JNRowe]

Inscrutable may have been a little strong, but just having a re-test here shows me a nine argument curl call in some paths. I'm not saying you can't inspect it, but there is a lot going on there.

I think we're in agreement that a huge binary client is worse, but I'm suggesting there may be a middle ground with a small/simple open source client just for the key management aspect. That said, it does of course rely on people actually looking at the source of such a client ;)

[oefrha]

The parameters are mostly server states. What’s interesting to you should be “what am I signing” (since that’s the only part they didn’t provide you in the first place) and it’s a JSON blob that’s fairly understandable.

A small client is still going to send the same payload.