1. 6
  1.  

  2. 4

    As much as I liked Keybase initially I basically stopped using it.

    For key lookup I use gpg --locate-key $EMAIL. That will fetch the key by e-mail using HTTPS via Web Key Directory protocol (e.g. kernel.org keys are available like that).

    Social proof system seemed nice at the beginning but later became just stamp collection. If someone is really using PGP they would list the key fingerprint at their page/profile. (For the record there is social proof system implemented purely in OpenPGP - Linked identities implemented e.g. in OpenKeychain).

    Additionally, as far as I can see, Keybase doesn’t allow storing keys on hardware tokens (e.g. Yubikey).

    1. 3

      The Keybase model is one key per device. So if a Yubikey is used they issue a new sub-certificate to be used on the machine. This makes it impossible to use the key as a 2FA: https://github.com/keybase/keybase-issues/issues/1946

      1. 1

        Yep, I’ve seen lvrick’s comment previously on HN about this but I didn’t want to comment that strongly here on Lobste.rs, although lvrick clearly has a point.