[defrex]

From the README:

  caveat npmtor
  github's servers can be compromised by a court order, intruder, or employee. 
  You should use a secondary means of verification to check all the keys fetched 
  from github where secrecy from courts, intruders, and github employees is 
  of paramount importance.

This is one of the main advantages of keybase.io, though cipherhub has the advantage of not requiring users to opt-in before you can encrypt a message for them.

[edwintorok]

You can have SSH keys on your OpenPGP keyring (with the next version of GnuPG at least it should be supported), so then the 'public gist' shouldn't be required by 'keybase prove github' at all:

* you put your public SSH key on your OpenPGP keyring (which is signed by your main identity), you publish your updated key - this proves the relationship between the SSH key and the OpenPGP key

* you use the 'github.com/username.key' to check the association between the github username and the SSH key

This leaves the problem that the assocation between your username and SSH key is weak(er) as its not cryptographically signed, and that you do this validation outside PGP's web of trust model.

[renata]

If you think keybase.io cannot be compromised by a court order, intruder, or employee, I have a bridge I'm looking to sell on the cheap.

[defrex]

Granted, but the idea is that they would have to compromise Github, Twitter, a private domain, and more before performing a successful attack. That's considerably more complex than targeting one service.