It might be worth clarifying that, if you're using that keybase.pub website, you're trusting the Keybase server that hosts it to honestly serve the files. But if you run the Keybase client locally, and browse the same files under `/keybase/public/`, your client will check the signatures on everything, and you are not trusting the server.
That's an important clarification, and I would add: it's easier to trust when you can verify.
That is to say, the website is https, so I trust that the server I'm asking for the file is the same one that gives it to me. And since I can verify signatures locally, any time I choose, it would be hard for that server to get away with modifying file contents only when served through the site, sooner or later someone would catch them out at it.
But yes, if it's important, definitely get the files from a native client, CLI or GUI shouldn't matter.
> And since I can verify signatures locally, any time I choose, it would be hard for that server to get away with modifying file contents only when served through the site, sooner or later someone would catch them out at it.
That's only true if they lie to large numbers of people. If they just lie to a handful of people, who will ever know? (And you're probably not connecting through Tor, so there's a good chance they could know exactly who you are.)
> the website is https, so I trust that the server I'm asking for the file is the same one that gives it to me.
The time between them modifying the files and someone noticing isn't a trivial detail. It's the same idea behind 0-day exploits: perform an attack until someone catches you.
This would be a somewhat stronger argument if we knew someone was actually checking. Who's going to bother?
But in practice it doesn't seem very different from any other hosting site? I'm wondering if they use a CDN, how long they will be able to offer free hosting, and what happens when people start publishing controversial content through them?
Serious question, what is keybase? It started as a identity key verification service (which I use), then went on to be an encrypted file store (which I use), then went to be a chat service (again I still use it though it has its issues), then they added some weird crypto currency thing (feels scammy), and now they're adding another file serving option (which looks really cool). So, what do I call keybase when I'm trying to get people to use it?
Stellar (https://www.stellar.org/overview) isn't part of Keybase per se, they've just developed an integration - or better said, a wallet - for that system. To me Stellar's mission doesn't seem too far apart from Keybase's, I can understand why they see value in it for their users.
A study case in feature (and scope) creep. I really wish they had just stuck to being an identity verification service as that's the main use case I've given them, but I feel they're stretching themselves too thin (and just being that would be probably difficult to monetize)
This is my worry for them, quantity over quality. Though I have to say their quality is pretty good. It just feels like too much and really confuses people when I start to tell them. My issue is still, how can I describe keybase without people saying to me it looks bloated. Maybe it is and that's the problem.
Keybase.pub has existed since they launced the file system. This is nothing new, its just the /keybase/public folder.
What they did add was SSH server, banning, git hosting, and now bots to the chat.
As for what it is, their primary claim to fame is to solve the identity problem in the internet and secondary they solve the private key on multiple devices problem by having a smart way to have private key per device.
Once you have those 2 things you can build all kinds of stuff around that, and that's what they do. A well encrypted Slack is basically what they are.
I use it mostly to move files between machines or to host files I want to send to others. I also use the private git for backups for important folders.
The main thing that they are really missing in my opinion is being a IdP for OpenID connect.
Seems like they nailed identity verification, then started tackling the things people tend to use trusted identities for: messaging, sharing files, transferring money — probably more to come.
Not saying it’s good or bad, but if you look at why people need trusted ID it might make more sense.
Whoa - you really hit upon a question that I've also had. Keybase does seem to be suffering from feature creep that is actually making it harder to 'sell' to a non-super-tech person. They really ought to rethink their UX/UI, so the call to action via their software is more easily understood.
Indeed, I feel like keybase is on the right path to solve provable identity on the internet, and they should focus on that by giving third-party an easy way to integrate it, give application or service makers a way to delegate authentication, and it would be a damn success.
Honestly, I'm not a user of Crypto but they are sending free money.
I transfer them into Bitcoin and sell them on Coinbase and receive the money through Paypal. I've received over 80$ for basically nothing as far as I'm aware. I'm happy with it.
Just to be precise, Keybase doesn't use GPG crypto for anything, except validating that you own one. All the crypto is home-made (although as somewhat interested in the field I would say is better than using stock GPG)
Yeah starting from Catalina the / is now read-only. Upgrading from an old macOS also kills any previously created files or directories at root that were not shipped with the system. So `/keybase` is gone on Catalina.
Telegram group chats are NOT end to end encrypted. Telegram has an option for e2ee chats but they won’t sync across devices, last I checked, ans nobody uses them.
My use-case is E2E encrypted (team) chat coupled with identity verification. In some projects having assurances that you're talking to who you think you're talking to can be a big deal.
Is there an easy way to use this without a mounted drive on my PC? Like a gpg sort of command line thing to expose the file on the Keybase servers like Firefox Send does?
Because other people can trust that the files are from you. Lets say you have some C project on github, you want to release a binary. Put it on Keybase and people can trust it is from you.
Keybase claims to be a modern replacement for PGP yet I don't think they even have some SDK that acts like gpgme. This is a very rudimentary feature to implement but it can unleash a whole new world for applications that use signatures and E2EE.
Keybase is a good idea and they got lucky with getting popular but they haven't really implemented features that would make them essential. Most people just sign up and forget about it.
EDIT: Seriously why the downvotes without clarifying? Has Keybase adopted astroturfing on HN like Brave and DuckDuckGo?
They're building out plenty of applications themselves. That's the right approach. PGP didn't unleash a whole new world for applications because it didn't attack usability, which isn't something you do with an API.
You don't unleash a whole new world, period. The old one still exists.
The only way I see us migrating away from our current gpg use cases is if all the integrations we use somehow went unsupported. There's simply no reason to assume the risk of inserting Keybase (or anyone else's) dependencies.
Approximately no one, except anyone who commits code at the F100 company I work for, several other F100s I know people at, Debian, Ubuntu, and a number of other infra projects.
I'm willing to believe nobody in your corner of the world does. That's not the only corner of the world.
On the contrary, Keybase has the advantage of linking keys to social accounts. If Keybase have client libraries that use signing/verifying, encryption/decryption programmatically outside their bloated CLI that would be a great tool for authentication/authorization that can replace oAuth2/SSO for example. This itself can be a sufficient business plan for enterprise customers and I am not sure why they have not done it after all these years.
Obviously they want to lock users inside their tool for business reasons.
