[davmre]

It's not correct that you need to trust Keybase. The way that someone verifies their social identity is by posting a tweet (or equivalent) signed with their private key. So you can look up someone's public key on Keybase and then verify that Keybase gave you the correct key, by checking the signature on their original tweet / other social verification posts.

Assuming you actually do this level of verification yourself (rather than allowing keybase to do it for you), the only thing you have to trust is that Keybase/Twitter/Github/Facebook/etc aren't all simultaneously colluding to give you a bad key. That seems to me like a reasonable assumption in pretty much all plausible circumstances.

[jrochkind1]

Aha, good point! Hmm, have to think about that more.

It might be cool if there were an open source tool (from keybase or not) that would do this check for you. Most people in the target audience aren't going to be able to do it yourself.

That might be something cool for keybase to provide. (Yes, of course you'd still have to trust the open source tool, but that's why it's open source, etc.).

Before sending something particularly sensitive, you could run the tool to check that the public key you have still matches what was posted on their twitter, facebook, etc. (And yes, if someone can hack the old tweet on twitter, then of course, yeah).

[oijaf888]

Isn't that exactly what the command line client does when you verify a user?

[jrochkind1]

Ah, you can re-verify the user at any point, not just the first time you add them as a contact or whatever? Neat.

Okay, this is good marketting for the product, because you are convincing me that at least it might have evaded some of these problems, and is worth further investigation. :)

[maxtaco]

Yes, it is, and it's 100% open source.