I decided to play with #keyoxide since #keybase is pretty much totally dead now: https://keyoxide.org/hkp/24F8AA354990F3F562EC014BC6496DEB3DA8E9B5
Seems... fine. Same idea as Keybase, but no cryptographic verification of the claims, so rather more trust required in the provider.
( this is for the new #GPG key I set up last month in https://www.roguelazer.com/2022/06/2022-gpg-key-transition/ )
What do you mean by “no cryptographic verification of the claims”? The claims are actually bi-directionally verified.
I think you mean that the claim on say GitHub is not cleartext signed? It’s true but compared to the Keybase the claims are stored inside your OpenPGP key in an area that *is* signed. Having the claim document on GitHub be additionally signed would not bring any additional security.
Actually the current Keyoxide design is a little bit more secure than that of Keybase since in Keyoxide the claims are signed by your primary (master) key and not just any signing subkey like on Keybase. Since the primary key is rarely used it can be stored on an offline computer while the signing subkey is often needed on online machines (e.g. git commit signing etc.) so it’s far easier to misuse it.
Have a nice day! 👋
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!