On a related note, I have some invites. Let me know if you have an interest in trying it out.
That second vulnerability—keybase.io/myname may not represent twitter.com/myname—seems to be covered by Keybase already: they allow you to verify a Twitter account and link it to your Keybase account. I don’t know what more they can do.
They could possibly prohibit linking to a twitter account with the same name as an existing keybase account.
This is something of a problem. For example, I’m tedunangst on twitter and tedu on github. I decide to be tedu on keybase. My evil doppelganger decides to impersonate me by signing up as keybase/tedunangst and linking with twitter/tedu and github/tedunangst. How are you to know who’s who?
By artificially imposing some uniqueness constraints, keybase could for example notice that although my keybase name is tedu, my twitter handle is tedunangst. Therefore, they would prohibit creating keybase/tedunangst. Or they would prohibit any account from linking to twitter/tedu. Or both.
There are obviously some land grab/denial of service issues here, but if they’re trying to be my “one true identity”, they need to cut down on aliases and collapse keybase/github/twitter into a single namespace.