I decided to play with since is pretty much totally dead now:

Seems... fine. Same idea as Keybase, but no cryptographic verification of the claims, so rather more trust required in the provider.

( this is for the new key I set up last month in )

· · Web · 1 · 0 · 0

What do you mean by “no cryptographic verification of the claims”? The claims are actually bi-directionally verified.

I think you mean that the claim on say GitHub is not cleartext signed? It’s true but compared to the Keybase the claims are stored inside your OpenPGP key in an area that *is* signed. Having the claim document on GitHub be additionally signed would not bring any additional security.

Actually the current Keyoxide design is a little bit more secure than that of Keybase since in Keyoxide the claims are signed by your primary (master) key and not just any signing subkey like on Keybase. Since the primary key is rarely used it can be stored on an offline computer while the signing subkey is often needed on online machines (e.g. git commit signing etc.) so it’s far easier to misuse it.

Have a nice day! 👋

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!