They have a feature wherein you store your password-protected private key onto their servers. By my reasoning (not being a cryptographer), if a passphrase isn't strong enough to protect your private data, it's not strong enough to protect my key, which in turn will no longer protect my private data. Let me know where I may be wrong on this.
Here's a counterpoint: https://blog.filippo.io/on-keybase-dot-io-and-encrypted-priv... I don't understand it. If it really doesn't matter, why wouldn't it just derive the private key from the passphrase? I don't appreciate cryptographers appealing to some sort of common sense in the face of something another cryptographer has created.
It's not hard if you're keybase. GPG isn't known for being based on trusting anybody other than yourself.
Also note that the blogger (seemingly a security expert that people respect on here) I posted just went ahead and displayed their public key, to demonstrate that they're not afraid of Keybase or anybody else having it.
The original discussion was about generating keys from passphrases, which is much, much easier to exploit than what Keybase is doing. The discussion about whether Keybase's usability is worth the security tradeoff is one I'll leave to someone else.
