Storing private keys in a place that you do not control is ridiculous. You are putting your trust in a service, thus making your own keys untrustworthy to yourself.
Put your public keys wherever you want. They are public. The SKS keyservers work well for this already, however.
The idea of getting crypto to the masses is laudable, but this is reinventing existing infrastructure and introducing new dangers to the system at the same time.
Please DO NOT USE keybase.io ... at least until the source is opened and we can see what they are doing.
Encouraging it is still bad news. I think we should be discouraging use of keybase until they fold on this feature and think of a better way.
That said I am new to this whole thing myself. Is there a difference between what goes on in this process, and backing up your private key as you normally do backups? It is encrypted here (granted using a JavaScript CLI which is in itself bad news)
Keybase never has to know what your private key is or store it. So, yes, you are completely free to continue managing your private and public keys however you are used to.
Of course, managing and creating your own keys outside of keybase and then importing your public key in to it does mean you lose out on some of the convenience of the service but, like you say, it's too early to trust them with everything. This doesn't invalidate their novel approach to trust anchoring though (which you can fully partake in without having to hand over your private key).
> Keybase never has to know what your private key is or store it. So, yes, you are completely free to continue managing your private and public keys however you are used to.
And if they did require my private key I could always just not use the service at all. This is sortof besides the point. I'm not concerned about being coerced into anything. I'm concerned that they're sending the wrong message. Do you remember when Facebook used to ask for your Gmail password before we had OAuth? Do you think that was cool too?
> like you say, it's too early to trust them with everything
I'm not saying it's too early to trust them with everything. I'm saying you should never trust anybody with your private key. I don't care if it's my best friend, giving my private key to somebody is one more place it can get discovered. PGP offers something unique in that it can give you a network without any trust. You can weather the storm of broken https and MITMs and get to the person you're talking to. The only thing it doesn't fix is somebody owning your desktop. This is a beautiful thing if you think about it, and this sort of thing would dilute it.
I pretty much agree with everything you've said but I think most of the worries are rendered harmless if keybase are clear and up front about the trade offs. If you have a need for cast iron privacy and security, don't use them. If, on the other hand, you just want a semi-secure solution that prevents run of the mill third parties from intercepting reasonably benign day to day communication then maybe the risk is worth the convenience. You could also maintain a second keypair unconnected to keybase for things that need to be really secure and private.
For me, the interest is solely with their approach to trust anchoring. I like that it simultaneously provides a place to post a brief bio, a public key and a way to tie the key holder to github and/or twitter accounts. I'm using that part of their offering now but I have no intention of ever giving them my private key.
If there could be some sort of plugin that could verify that you're running source that's been vetted, that'd potentially be fine. The problem is that normally you can't be sure of what you're being served, it could be a different program every time.
Even still, a browser is a big complicated program that could be compromised in some way, so it's still an iffy proposition. But, that's just a hunch.
It's a CLI, command line interface. I assumed you were talking about their NodeJS application, which is code downloaded to your computer which you can verify at any time you like.
How would opening the source help? If you're worried about their server you can't be sure of what they're running. The private key you send them, in their defense, is encrypted, and the CLI is open source.
Keybase.io is also a Keybase client, however certain
crypto actions (signing and decrypting) are limited to
users who store client-encrypted copies of their
private keys on the server, an optional feature we
didn't mention above.
Put your public keys wherever you want. They are public. The SKS keyservers work well for this already, however.
The idea of getting crypto to the masses is laudable, but this is reinventing existing infrastructure and introducing new dangers to the system at the same time.
Please DO NOT USE keybase.io ... at least until the source is opened and we can see what they are doing.