Hacker News new | comments | show | ask | jobs | submitlogin
Mastodon and Keybase (keybase.io)
406 points by malgorithms 8 days ago | hide | past | web | 184 comments | favorite

Just wanted to say that i moved from twitter to mastodon sometime late last year amd couldn't be happier with it. Keybase integration is interesting to me, but not realky useful since i don't want to tie mastodon with my real life identity.

the Fediverse as a whole has a very different 'feel' to it compared to Twitter. Twitter feels significantly more commercialized amd stressful...mastodon / pleroma feel a lot more relaxed and pleasant in comparison.

Maybe i just accidentally joined nicer communities, but i see a lot of small-scale chitchat and genuineness on mastodon than i rarely see on twitter.

I've also had zero issues with the platform from a technical perspective...overall i think Mastodon, etc have done decentralization "right", and have a lot of potential for growth in the future

I opened a Mastodon account and me and one other person I know who opened an account toot at each other every 6 months or so... I guess there is another person I know who opened one but never toots...

I try to pretend it doesn't matter to me, but calling individual posts "toots" really does keep me from talking about the service with other people.

There are lots of interesting people on Mastodon, I would recommend searching by hashtag and joining an instance that matches your interests (eg: sdf.org, sergal.org (furries), cybre.space, etc).

Many instances block Mastodon.social and other massive instances, and different instances will have different views of the network (based on who the users of the instance follow and how long toots are retained).

I do wish mastodon had the concept of groups so I could join all the groups I'm interested in rather than having to sign up for an account on each one.

Generally you just follow people, making accounts on each instance would be rather silly.

eh, I don't really even use Twitter to talk with randos online... I get enough of that here. But I can see that people do use Twitter and Mastodon that way...

If "toots" is the one word that keeps it from getting ruined by mainstream adoption, then so be it. The cycle always seems to be:

1) Look at this great thing a few geniuses developed

2) The intellectuals and forward looking people early adopt

3) It slowly turns from being cool trendy and useful, into a Walmart-like all things to all people behemoth of gross negligence.

4) Some heavy abuses are uncovered, and using it is no longer valuable to anyone.

just call them "posts" or "microposts" if you don't like "toot"

mostly off topic:

Most of my friends are on Instagram and think I’m funny for being on twitter anyway. They have a business twitter account that they only use at conferences and socialize on IG.

I tried setting up a new ig account (deleted my first when they sold to Facebook) and couldn’t get past the input phone number portion of the signup.

Anyway trying to convert people from twitter to mastodon is sorta hard. If I couldn’t get them to go from to IG to twitter there’s very little chance I’m going to get them to go from ig to mastodon.

> Anyway trying to convert people from twitter to mastodon is sorta hard.

That's because going from Twitter to Mastodon is a downgrade in pretty much every concrete way and only an upgrade in less concrete more esoteric terms.

From most people the main benefits I've seen cited are censorship resistance (how many people encounter significant censorship on twitter today?) and decentralization (which only really matters philosophically, to the user on the site the decentralization gets hidden).

On the downsides though there's plenty right on the surface for users: limited users (like all social networks if the people you want to interact with aren't there it's useless), mediocre default layout (the 3 column default doesn't make good use of space and give equal importance to everything cramping the main thing you want to see the toots) and discovery (the main way I've found people to follow on Mastodon? finding them on twitter where I already follow them and seeing they're on Mastodon too).

To a random user who doesn't really encounter censorship on twitter or care about decentralized/federated networks it's just a sub-par version of Twitter with a worse interface, a sparser social graph and longer handles.

> (how many people encounter significant censorship on twitter today?)

The point is not that you user are being censored, but that twitter "lies" to you about social dynamics with their obvious (yet hidden) biases.

Twitter promotes the extremes and hides the middle. If this is not enough they also apply a consistent political agenda (by protecting their main cash cow of liberal journalist) and lie about it.

Perfect example is what happened with the Convington kids and journalist calling for doxxing.

It would be cool to see everyone's Mastodon usernames/domains, I'm on my own self hosted instance where it's a bit more difficult to find other people.

Mine is: https://toot.jeena.net/@jeena

I switched to Mastodon about a year or so ago. I fully agree with the grandparent post in that the atmosphere is very different compared to the major social media platforms.

As you allude to, discovery is harder since you don't have an algorithm pointing you in the direction of content you're likely to engage with (yes, engage with, and not necessarily enjoy) but once you have found the right people to follow, it's more rewarding because it's your community, not owned by a single corporate entity.

Although I didn't use G+ much in the later days, its closure showed my how irresponsible it is to rely on proprietary platforms. I'm committed to never be active on a proprietary, closed social media platform again.

My main account is here: https://functional.cafe/@loke

> I'm committed to never be active on a proprietary, closed social media platform again.

Including HN?

That's a good point. Clearly I still use this platform, but I do see a difference between them.

I don't “post” on Hacker News. I do comment, but I don't think anyone who are interested in following whatever it is that I may have to say would come here to look up my posts.

Or, to put it in another way, if this place would introduce some social media features, such as the ability to follow people and post to followers, then it is highly unlikely that I would be interested in using those features.

I don’t think OP meant “proprietary, closed” as “centralized”. If it’s about the code: https://github.com/arclanguage/anarki

I referred to both, actually. It's about whether I own my own presence on the network.

Of course, I'm not hosting my own server, so I am in some way in the hands of its administrator, just like I was in the hands of Google when I used G+. However, I can talk to him directly, which is a huge benefit. Also, if he decides to shut down the server, I can still join a different instance and reconnect with all the people I was following on the old server.

What has your experience been with self-hosting?

I'd love to self-host a Mastodon instance that two-way mirrors my Twitter account and acts as a Twitter client (letting me pseudo-follow folks from Twitter). But in any case, I'd want to ensure that no content from people I follow gets mirrored/hosted on my own instance; the only content actually hosted on my own instance should be the content I post.

I've had a pretty good experience self-hosting with Pleroma. Its quite amazing that I can run a social media server with just a $5 VPS.

Not sure if there are bots / apps that can easily let you follow Twitter users on Mastodon, but I've definitely seen mastodon - twitter crossposter apps before.

What do you mean? No content other than what your users generate will be hosted on your instance.

There is a concept of a federated timeline, which does get synced to your local instance. If you follow someone on a remote instance, that instance feeds content into your instance so it can be loaded.

It syncs the people you follow, right? So presumably the only additional content on your instance is content from the people you follow, which should generally be low-risk.

I run my own instance too: @djsumdog@hitchhiker.social

I also made a guide for making your own Mastodon CSS:


Yeah, I self-hosted my own instance of Pleroma for a while, but eventually switched to a more popular instance with people who have similar interests as me (art + religion (specifically, rediscovering religion after rage-quitting Christianity @social.theliturgists.com)

I literally haven't actually posted or done anything on it...


I've thought about putting one up for social.bbs.io or bbs.land

I'm https://takeoverthe.world/@caff :) Self-hosting Mastodon has been an adventure, for sure. However, relays have definitely helped with federation. :)

> Keybase integration is interesting to me, but not realky useful since i don't want to tie mastodon with my real life identity.

Ummm. I mean, https://keybase.io/mirimir has nothing to do with my "real life identity".

That's a good point but on the other hand, when you have no reason to connect accounts, connecting them in this way might not be good opsec.

I guess this could be useful to make switching mastodon servers smoother.

Mastodon and other fediverse software support pointing your old account to a new one. Keybase could be useful for confirming both are your accounts, but its hardly the only way.


Okay, how do I sign up for Mastodon? I went to mastodon.com, and I got a page that the domain was for sale. Are they having funding problems?

Okay, I'm not that dumb, but some users are. And I really don't know how to get started. Not that I've ever been a big social media user, but I'm enough of a hipster to want to say I was on Mastodon before it was ruined.

I know you're joking, but if you found your way on to a site called "Hacker News" at a URL like https://news.ycombinator.com , it it really going to be so much more complicated to understand that https://mastodon.social is the website of the Mastodon social network?

I'm honestly fine with the mastodon devs not having to spend 1000s of dollars to get the mastodon.com domain. Evidently that domain is so expensive that even the popular heavy metal band "Mastodon" haven't bought that domain (they seem to be at https://www.mastodonrocks.com/ )

BTW, if you're having difficultly finding an instance that caters to your interests, https://joinmastodon.org has a signup flow that shows mastodon instances based on interests. That might help.

> I know you're joking, but if you found your way on to a site called "Hacker News" at a URL like https://news.ycombinator.com , it it really going to be so much more complicated to understand that https://mastodon.social is the website of the Mastodon social network?

Yes it is, because when people thing of $something, they assume the website is $something.com.

If Mastodon plans to appeal to the general public then it will need to be easier to find.

I'm personally not at all attached to the 'mastodon.social' domain (i'm self-hosting my own account on a different instance), but I am somewhat surprised at this perspective on TLDs.

Most users of the internet have been exposed to TLDs other than ".com". For example, wikipedia is at a .org TLD, US government sites are at .gov domains, university websites are at .edu domains. Most non-US users will frequently interact with their country's (and neighboring countries') ccTLDs, like .de, .uk, .in, ... I find it surprising to assume that users of social networks who have already understood abstract concepts like "like vs retweet" or "like vs share" would find it difficult to understand the difference between .com and .social.

Also in a sense, it is more accurate for Mastodon to be at a .social TLD instead of a .com since Mastodon is a Patreon-supported FOSS project, and isn't a commercial entity like twitter.com or facebook.com. But yeah, I know that .com doesn't really mean "commercial" anymore, and is more of a general-purpose TLD now.

Mastodon has a number of issues that could stifle broader adoption, but I can't convince myself that the TLD is really relevant here. Most users will just be linked to Mastodon from other sites, or find it from a web search. Once its in their web history, web browsers will just autocomplete the site name in the address bar. And isn't the domain squatting and exorbitant pricing on ".com" the main reasons why the new TLDs have been released anyway?

I would like to add a few things on top of the relatively technical reasons why this lack of .com doesn't matter.

I'd say most users won't type "mastodon.com" in their "browsers". They will type "mastodon" in their "internet" or, if technically savvy, into Google first. Second, from following the fediverse (not just mastodon, but also pixelfed, peertube etc), i have a feeling that they aren't into mainstream, general audience anyway. A lot of them are small focused instances and as such, won't even be attracting new people via Google, but by invites anyway. Many instances have closed registration anyway. So if you need to land anywhere it's likely not on mastodon.social, but something like ...(checks last five accounts to post directly on top of timeline): icosahedron.website, fostodon.org, mastodon.social, mastodon.technology (my instance) and hackers.town.

twblalock wasn't arguing that TLD bias is rational, but that it's a real factor that somewhat hinders large-scale adoption. Sure, Grandma or Jane Preteen has seen ".org" or ".gov" a few times, and sure the ".social" is a logical fit, but will those facts materially influence their habit of defaulting to ".com"?

You make a good point about how many users will simply Google the name, which naturally opens the question about whether users will want to scroll past info on the band & prehistoric animal before finding the service.

First step is explaining that Mastodon is like e-mail, not like Facebook. People know that to get an e-mail address, you don't go to to e-mail.com - you sign up to any e-mail provider to get an address you can use to talk with all other e-mail users. It's the same with Mastodon.

Mastodon will only have robustly succeeded in their mission when people don't think of it as joining Mastodon but as joining some particular social hub which happens to run Mastodon. Think of how people aren't joining academia but are joining Foo University.

As far as I know Mastodon has no particular mission. If it exists, not every instance shares it. And that's not even considering other stuff that works on ActivityPub.

> Keybase integration is interesting to me, but not realky useful since i don't want to tie mastodon with my real life identity.

Yeah, this is it for me. Also I don't want to tie my various online profiles together in general. Providing an open, strong, independently verifiable cryptographic link between my online profiles seems like something that a bad actor could exploit to harvest data about me far more easily and with a far higher degree of confidence than would be the case without it. It might even be hard to get rid of if integrating websites aren't careful about deleting your keys when you want them to, leading to a bunch of cryptographic litter linking your profiles even when you don't want that.

I'm also willing to bet the personal attacks are kept to a bare minimum at Mastadon, where as with Twitter, you just have be idk...opposed to one popular political thing publicly to be regularly attacked and harassed.

How much of that is just because there aren't as many people there though? Both in the lack of enough people to make a critical storm of people and just not enough people to form an audience for that kind of action. I doubt that would remain the same if Mastodon took off and became a huge thing.

Mastodon is great. snouts.online is one of several furry instances. We boop snoots instead of boosting toots, but it talks to other instances just fine.

I understood atleast a couple of those words

Translation: every weird niche interest can have its own server for its community with its own rules, culture, and user experience while still communicating with other servers.

I mainly got hung up on these words: "We boop snoots instead of boosting toots". Are these mastadon-specific terms?

Toots are posts. Boosting is reposting so your followers can see it. Instance owners can change the terms to whatever cutesy terms they want, so this example has boost replaced with boop and toot replace with toot.

Also this is a FINE example of why niche communities need unbiased online infrastructure. A casual google-searcher may judge them by whatever google's AI decides is representative of the group, and choose not to deal with them at all.

I googled this, and was very very sorry that I did. Suffice it to say this terminology is specific to a subculture of people who dress up as animal mascots. Booping snoots apparently means touching the nose, I think? I also ran across something called “cub porn” and now I need a shower so hot it can melt glass.

That is correct in theory. But in practice, other servers will block your server if the rules deviate from the mainstream rules, effectively isolating your server.

If your users post hate speech, child porn or run amok reply guying, then yes your likely to not federate with other instances.

For other differing rules, instaces generally silence from the federated timeline. Eg: I can still follow Humblr.social and Sinblr users, but Federated timeline users won't have to drown in porn if the admin silences the server.

Your server will be isolated from some other servers, but it's actually pretty hard to isolate your instance so that you're completely alone in the fediverse.

Well yeah, what's the point of having rules on an instance if you can just break them by moving to another but still participate?

it's basically twitter when you're not following very many people and all the people you are following share your political views.

This seems backward.

They want ActivityPub servers to apply to a central service (keybase) to offer cross server identities.

And they want users to trust that central service to decide who is who.

It's always amazing, how strong the force of centralization is.

Even when the whole value proposition of a technology is that it is decentralized, users will soon flock to centralized services built around it and end up in the mercy of a few organizations again.

Reminds me of all the people who think they hold crypto currency while in reality they "hold" yeah-we-promise-we-owe-you-somethings by some exchange.

Reminds me of how little resistance the Ethereum elite faced when they flushed "code is law" down the toilet and forced all users to switch to a fork with rewritten history.

What makes this attempt of centralization even more tragic is that it does not bring anything to the table. If you want to run a service that let's people claim they are joedoe@host1 and joe_the_doe@host2, just let them publish two messages. "I am joedoe@host1" on joe_the_doe@host2 and "I am joe_the_doe@host2" on joedoe@host1. Neither the integration with the hosts nor the crypto spiel is needed.

There will never be a truly unique, open identification service, and that's what keybase is trying to do. Not necessarily by saying "this is who I am on keybase and will be my unique identity" but by saying "I am someone, known as X on github and Y on mastodon". The advantage of keybase is that

- Any identity on any service can (now) be linked

- There is only one protocol to do it and it is all done on the client side

Why would Mastodon (or, really, ActivityPub) be The One service when there are other, working services worth using ?

    Any identity on any service can (now) be linked
No need to integrate Keybase or any service for this. You just can use any place on the web as a hub and post "I am news.ycombinator.com/user?id=rakoo, I am reddit.com/user/rakoo" there. And from the others you link back to the hub. Say github is your hub then you post "I am github.com/rakoo" on HN and Reddit. This would be user readable and machine readable. And any 3rd party service like Keybase could read it. No need for the social media sites to apply at Keybase and integrate it.

You _can_ do it but you would be the only one doing it, and as such it would provide little value because no one wants to do this manual dance and if you're such a minority then there will be no automated way to do it.

Keybase provides an (open!) protocol, along with (open source!) tools to do what you describe and then some (a lot of crypto stuff is needed, for instance). You can probably fork the keybase client and have your own hub at notkeybase.founderling.io if you want, so you can implement your very own idea if you so desire, and that would even be an interesting addition to the open web.

Also, you might have missed it but identity providers do not need to "apply" for keybase integration anymore: _any_ service can provide identity and link up with keybase without asking first (https://keybase.io/docs/proof_integration_guide). It doesn't even have to be a web service, so if they want any email provider can do it (although the whole linking thinking would be through http)

Technically you don't need to ask first, but you still need to tell Keybase directly that you support their proof integration protocol in order to be supported from their side of the connection. Not so much a "please let me in" but rather "I'm ready to rock".

Linking has to go both ways, it makes sense for the hub to vouch for it. Otherwise you have the same situation as the CAs without CTs: ie A can vouch for me, but I can't really vouch for this vouching, so another malicious B can vouch for a fake me.

> It's always amazing, how strong the force of centralization is.

This is because Mastodon is a UX nightmare because of the way they decentralized it. With Twitter you go on and you @ your friends / etc and you're done. With Mastodon you have to figure out where they are and if they're not all in the same place it becomes a nightmare to try and manage.

I get it, decentralization can be great. But so far most of the implementations of decentralized social networks have been a UX nightmare for even the casual user.

> With Twitter you go on and you @ your friends / etc and you're done. With Mastodon you have to figure out where they are and if they're not all in the same place it becomes a nightmare to try and manage.

Nope, that's actually not the problem with Mastodon UX. On Twitter you still have to ask if your friend is @Johnny or @John1256 or @JDoe or depend on visual cues (avatar).

The problem with Mastodon UX (and Fediverse in general) is the friction of "remote follow" buttons instead of one-click Follow (the same goes for reply/like etc.)

I find that remote follow is only an issue this way if you've gone directly to the other party's profile rather than following them from your own instance, or when your instance is being banned for some reason by the other party's instance. It could be smoother, but this is what we get for having to defend against XSS.

The bigger problem with Mastodon is the explicit support for censorship via defederating instances you don't like.

People managed to share email addresses, which are name@domain.

And the domain is predictable. There were (and still are) a two-part email form around the web, where the domain part is a drop-down list.

That would not be much different from a drop down of Mastodon instances then?

For both it's a bad way of doing it because people with their own domain can't use it for email and the Mastodon one would be too long to select something.

I meant that the comparison to the email is not adaquate because the number of common email domains had been steadily decreasing (and I hate it).

> And they want users to trust that central service to decide who is who.

Actually, no, the whole point of Keybase is that you don't have to trust the central server, and can verify all the proofs yourself. The CLI does this automatically.

1: They claim the integration is needed because people are too dumb to copy&paste a string.

2: The whole user interface is set up so users believe in what they see in the web interfaces.

And you want to tell me with a straight face that users will do their own crypto foo instead and validate hashes?

Even if the users used that CLI, that does not help. As we saw with Ethereum. They simply pushed out new code that rewrote history.

> And you want to tell me with a straight face that users will do their own crypto foo instead and validate hashes?

Your Keybase client (for whichever platform) will perform the verification for users you follow. There is no need for any manual action and the verification has to happen when you follow someone (by following someone you're attesting that your client performed the verification).

> As we saw with Ethereum. They simply pushed out new code that rewrote history.

Do some basic research. History was never rewritten and new code was never pushed on users. Users voted in favor of the DAO fork, then users voluntarily downloaded newer versions of their wallets in which the respective developers had implemented the agreed upon new rules that moved the stolen money to a recovery account.

There's no trust in Keybase, my friend. Everything is signed by users themselves and you can verify that. Keybase is only providing the infrastructure.

It's always amazing to me to hear assumptions that decentralisation is a feature in and of itself.

For most people it's an entirely secondary concern, not a concern at all or even an anti-feature.

Who do I appeal to, to take down that cyber-bullying material? How do I get my transaction reversed, as the victim of fraud? What do you mean I can't and the system was deliberately designed that way?

> It's always amazing to me to hear assumptions that decentralisation is a feature.

Decentralization is not a feature for the end-user, it's a feature to developers. It's probably impossible for a new social network to take on Twitter, Facebook, etc. directly. However, a decentralized social network allows startups to move far quickly and implement other features that the big social networks are lacking.

I suspect that whatever social network eventually pushes out the dominant players today, will use tools like these.

One good precedent for this is AOL. AOL was safer and more user-friendly than the world-wide-web, but the web's decentralized nature allowed competitors to spring up much more quickly. I suspect something similar will eventually happen to today's social networks.

> Decentralization is not a feature for the end-user, it's a feature to developers.

On one hand you are right, it's a huge benefit to developers as they are able to create new services that leverage the strength of the existing network. Such as Peertube getting subscription and commenting features from other servers for free, and it “just works”. Imagine a youtube competitor wanting to leverage Twitter in the same way. Highly unlikely that it would be allowed, and even if it did, the integration would be Twitter-specific.

On the other hand, (at least some) end-users see decentralisation as a huge benefit, and at least in my case it gives me confidence that the whim of a single company can't ruin the experience for me, or even take away the platform altogether.

Most people may not consider this, but some people definitely do. And hopefully that number will increase over time.

Whilst I appreciate your views, for many/most the idea that no party can affect or take down the content is a negative.

"Nobody can censor us!"

is absolutely, unfortunately equivalent to -

"Nobody can take down race hatred, online harassment, child abuse images or other evil shit"

And we've adequate evidence now to show that humans will use such platforms to post exactly that sort of stuff. For instance one of the bitcoin forks that allows larger data payloads had child abuse images uploaded to it, in an immutable, permanent way. Many/most people are not OK with that.

I'm not yet seeing a way to balance these concerns.

> Whilst I appreciate your views, for many/most the idea that no party can affect or take down the content is a negative.

Just b/c something is decentralized doesn't mean you can't take it down or hide it.

In the grand scheme of things censorship is the more dangerous thing though. People often don't care about censorship until it affects them, but once it does, they care a lot. There's a reason why the first amendment protects speech. It's the building block for an improving society.

I'm mostly ambivalent to the censorship debate. What I mean by that is that I can see valid points on both sides.

Most Mastodon instances have pretty strict policies with regards to the speech that is allowed on them. Many instances block federation with other instances whose policies they don't agree with.

Other instances allow pretty much everything (they are usually called “free speech zones”). The result is what you would expect, and they end up being mostly blocked.

I'd argue that it works reasonably well for now (but it may of course change if the Fediverse grows further). Everybody is allowed to say what they want on the Fediverse, but others are not forced to listen to it.

> Whilst I appreciate your views, for many/most the idea that no party can affect or take down the content is a negative.

Citation needed, please. This really sounds like your personal opinion presented as a general statement.

This is great. But damn:

> Are there sites you won't link to?

> Like a Mastodon instance, we reserve the right to work with whichever partners we prefer. We specifically will avoid at least these sites:

> sites which encourage or are known for illegal activity

Just what is "illegal activity"? According to whose laws?

Given that Keybase servers are in the US, I suppose that means US law. And frankly, that sucks.

But please do clarify.

I wonder if the Mastodon community will pick up Keybase chat as the de facto chat option with this integration in place. Chat or private messaging has always been considered the weak link of the fediverse since it's easy for bad servers to mishandle "private" toots.

I wish that Keybase could work with the Signal team on something.

Signal has a lot of experience in UI [1] and security, and Keybase had the identity proofs. I'd love to see them work together rather than compete.

[1] Signal UI used to be horrible but as of the past few months it's improved a ton! It's now my preferred SMS client.

>Signal UI used to be horrible but as of the past few months it's improved a ton!

That's funny, I've had the opposite experience. Once I got everyone I know to start using it and was completely locked-in, I started having all kinds of weird issues.

My favorite is when my phone has been off awhile. After I turn it back on, I get a notification for every message I sent/received on another device while it was off. Usually takes about 30 minutes for it to fully sync, buzzing and/or producing popups for every message along the way. I have about a dozen equally frustrating issues I could, if I had the time, enumerate.

And of course because it's free, there's no real support. Signal has been a huge disappointment for me. I'm preparing to move back to regular SMS, but now I have to untangle all of the users like my mother that I convinced to use Signal. Caveat emptor!

You'd rather opt in to global passive surveillance than deal with an inconvenient UX?

It's not inconvenient, it's broken. The issue I described above is not the only misbehavior to which I'm frequently subjected. Another example: messages are delayed, often.

Recently I failed to reply to an urgent text about a medical diagnosis from my fiance due to Signal failing to push the message to my phone. This is unacceptable behavior from a critical application.

Do I get on a soapbox about how surveillance is terrible and miss being there for her by insisting on using Signal? No! I want her to be able to get in contact with me if there's an emergency, and that's the #1 priority.

(note: not trying to say the medical diagnosis scenario you describe is less important than your contribution to getting the world off SMS, just spitballing how we can work towards timely updates in our current world and wean off SMS)

in the situation you describe, or any urgent situation where speed of communication is paramount, what about bombardment through multiple channels? like, i'll often leave my phone out of my pocket, and not pay super close attention to it. and if it lights up with one text message, or one signal message, or whatever, i might not look at it. but if it's buzzing like crazy, or someone starts calling, i'd pick it up.

i guess what i'm saying is, "urgent" to me means signal/text/call/call someone that might be around the person/whatever, until the message gets through. if something is urgent, i would not send it solely by text. i've certainly had SMS messages get dropped or delayed many many times over the years.

can you really only use one messaging app at a time? signal is my primary messaging app, but i don't really find it bothersome to use whatsapp and regular SMS also. different people i communicate with prefer different channels, and often the same person will use different channels with me depending on the purpose (e.g., my dad mostly chats with me by SMS, and most of my immediate family's group chat is on SMS, but when my dad is texting with me about some sensitive personal financial info, it's over signal).

also, i hope that whatever the urgent issue was, it was resolved in an ok way. like i said, not trying to shortchange the urgency of a medical emergency or second guess your decision making or frustration at the time.

Yeesh, that is really terrible, I'm sorry to hear that. I understand your reasons, but in signal's defense it is a free service, which is pretty amazing considering the number of users they are able to support. I suppose reliability is a trade-off, but it would be nice if they offered a paid tier with better performance.

You are aware that SMS is "best effort" as well? SMS is in no way guaranteed to be delivered in anything approaching an urget timeframe.

The phone number requirement is a killing feature for me, makes it useless. I wouldn't put it even close to the UX bar Keybase has for me.

I do, to some extent agree.

I think the idea is that privacy != anonymity. Signal provides the former, but not the latter.

It's tough. I think that usernames could become messy, but I also think it'd be amazing to anonymously tip a news reporter via Signal, but at the same time the latter would not be as safe as Tor etc.

I would much rather have more competitors than fewer monolithic systems in this space, to be honest.

How is Keybase chat federated? Using a centralized service defeats the purpose of a decentralized Fediverse.

It's not, but decentralization isn't super effective for private channels of communication, particularly where neither end is running the software in question. (Most Mastodon users aren't site admins.)

But presumably if proving a Keybase user and a Mastodon user are the same is given, when a Mastodon user wants to contact another outside of Mastodon, Keybase Chat may be the new default choice.

i think that’s pretty incorrect tbh; xmpp/otr, and matrix handle federation and private chat/encryption just fine

id much prefer to see chat that’s just thinly wrapped in a pgp implementation that gets its keys from keybase (maybe just initial secrets transferred with pgp for handshake or something)

> but decentralization isn't super effective for private channels of communication

The two examples of that not being the case are OTR XMPP and PGP e-mail.

> particularly where neither end is running the software in question

You cannot have useful encrypted communication if your software does not support it.

Yeah, interesting point - this could actually pick up chat functionality for a whole heap of sites that don't have it, but are prepared to do the Keybase integration work.

Why not Matrix? A federated chat protocol to go with a federated social media protocol.

Please no. Centralization is always abused (eventually). Email + mastodon + IRC = happy little hackers.

Email is de-facto centralized at this point, with the overwhelming majority of email going through a small handful of giant providers. I don't remember the number anymore but some scary-high percentage of all email volume goes through Google servers.

1. There are still multiple options working options within the same ecosystem. And yes you can still self-host or pay to host[0]. Unlike on WhatsApp, Telegram or Signal where you have to choose one (or more) providers.

2. I find it weird how busy we are as a community are: scaring each other away from the solutions we should use by pushing Joe Average in front of us (like the post in this thread about mastodon.com being up for sale).

[0]: yes, there are problems. But FWIW mail disappeared before Gmail as well: I have memories of customers complaining about mail from "central USA" (or something) not arriving and after hassling our email provider and having them hassling their connections mail suddenly started to arrive. (And no I don't think it was acceptable then and I don't think it is acceptable now.)

Do you mean for encryption or do you mean using their servers also?

My bet would be both. After all, why handle all the dirty work of implementing real-time chat that works across multiple different sites when you can just plug in Keybase instead? After all, if you're using it for encryption you already require people to have a Keybase account to have their chats encrypted.

Why would you install different Mastodon servers when you can go to twitter.com instead?

I don't :P It's too tedious to keep an eye on multiple communities and manage my single identity.

This sucks -- not all Mastodon instances will be able to use this. It's subject to approval by keybase, ensuring only big instances can use this. A step backwards a proper decentralized network…

Keybase team member here. We have more than 30 so far, and they range from some of the largest down to single-user instances.

OK, but what about "sex workers and such" that wut42 mentions in a subthread?

I would imagine they're happy to support small instances if they have a legitimate userbase... why not ask them and report back?

They already somewhat said that porn related instances will not be allowed. So sex workers and such won't be able to use this. Why bother asking them?

I moved to the fediverse to NOT be controlled and regulated by corporations, because there's no need to. Adding such a feature in Mastodon is stupid. What's the next step? Integrated Twitter client?

Keybase has said porn related names / IDs won't be allowed? I was going to suggest some people look at using it as an alternative ID system to use in various chat systems. However some of those appear to be sex chat focused, so if that could cause an issue for them I'd be better off not mentioning and looking for a keybase like ID alternative.

Yes please, make it possible to discuss external content more easily in Mastodon, please.

From: https://keybase.io/docs/proof_integration_guide

> To send us the config, you can send us the public URL for your config file or attach it directly in a Keybase chat message to @mlsteele or email miles@keyba.se. In our example the file is hosted at https://keybase.io/.well-known/example-proof-config.json.

Will this always require manual step (sending config by e-mail) or is there some automation planned?

Good q - this step will likely be automated soon. Still, there will always be one final step of our approving any integration, otherwise there would be 10,000 pr0n sites or ad sites. (We mention this in the FAQ.) But we can automate everything up to turning it on.

For now, we want to talk to everyone working on integrations, so we can see what steps are working and what are confusing, what could be improved, etc. So we're talking to everyone doing an integration.

I still don't get it. You have always been able to get a keybase proof for ANY website/domain without being approved first. Why do you need to whitelist mastodon instances? Why not just let people type in the domain name for their instance and get rolling?

But now they're showing every integration possible (as in, every mastodon instance they approve of) on their UI

Again…why? who cares? Why is picking from a pre-approved list better than just letting people type in their instance domain name and allowing every instance by default?

Agreed. Not to mention Mastodon could've a linkback to Keybase with all data pre-filled (username + instance name). For example in Settings a link "Connect with Keybase".

> otherwise there would be 10,000 pr0n sites or ad sites.

There's a middle ground: you can add integration so that it's available from CLI (`keybase prove ...`) but don't show it in GUI ("select integration") so it's not advertising that site.

The proof integration guide looks neat by the way.

CLI integration available to all without a human step, but requiring approval to show up in the UI when adding integrations? I'd like that solution

Assuming my understanding of this is right, I can't see Chris and team publishing an automated platform for proof integration until they find a solution against impersonating established platforms.

Edit: Disregard, chris/malgorithms answered above.

I never understood keybase as a useful product. What do you use keybase for?

Task: Send me a tweet on Twitter. Careful not to send it to any imposters.

Challenge: Finding me on Twitter. For example, I am not @Nadya

Extra Credit Challenge: Let's say I'm e-famous enough to have imposter accounts but not have a Twitter "verified" badge. Which Twitter account is the real me? And how do you know?

Where Keybase comes in: On my HN profile itself you can find my signatures on Keybase. Keybase is not necessary for these signatures but becomes a convenient place to look. You also do not need to trust Keybase; although in practice many people will. Don't lie to me and tell me you'd verify the keys. :)

Now you can go directly from my HN profile to my Twitter profile and tweet at me knowing that I am who I say I am. Or at least the individual posing as me has access to three of my accounts (HN, Keybase, and Twitter) and that you'd at least be talking to the same person.

The social proof and web of trust bit is where Keybase falls down but that's an inherit flaw of the web of trust (key exchange parties aren't as popular as they used to be and people will sign/trust keys of people they've never met IRL). Ultimately you'll have to trust that the people who follow me on Keybase are certain beyond a reasonable doubt that I am who I say I am. From there, you can trust the social proofs.

I personally use it so that people can find me on other services more easily and know that they are speaking to me.

> On my HN profile itself you can find my signatures on Keybase.

… or your HN account could just link straight to your Twitter account. I don't get what Keybase adds here.

If you have an account on N different sites, and you want to let people identify you between each of those, linking directly requires (N-1) links per profile, or N*(N-1) links total. When you create a new profile elsewhere, you need to update your profile on each of the N original sites, plus add N links in your profile at the new site.

Or you could collect all of your identities into a Keybase profile, which all of your other profiles link to. That's a lot less to manage. Plus, proving your identity at some site (usually) has the byproduct of pointing back at your Keybase profile, so even if you come at this just from a "less work for me" angle, you're getting verifiability for free.

Or you could collect all of your identities in one other central place (say your website or HN) and link to the central place from all other profiles. Because that is exactly the scenario you just mentioned. Having direct links to all other profiles isn't solved by keybase. The only thing it provides is a central place for profile links – and there are obviously other ways to achieve this.

Sure, but if you look at how Keybase is verifying the information and how it is presenting that trust to external users, I feel that the value they are providing has increased greatly over a static page listing social network IDs.

Take a look at https://keybase.io/anthonyclarka2/sigchain

You can see a whole bunch of extra crypto is being used to verify the information.

If someone hacks your HN account they could redirect the Twitter link elsewhere. If the only 2 accounts you have are HN and Twitter then Keybase doesn't solve that problem, but if you have more accounts elsewhere that are well-known, those extra accounts then prove that the HN<->Twitter connection is valid.

If everything links to everything, that's an n^2 problem (and hard to coordinate actors to do). If everything just links to one service, that's n or 2n at most.

Also, I can write the name of any twitter account in my HN profile. I can only link _my_ twitter account to a keybase account I own.

Right, but if your Twitter account links to your HN account then you've proven ownership both ways. If you don't want the n^2 problem then just have a list of all your accounts on one site and link there. Say, for example, your Mastadon account.

I solved that problem that way too: https://nadyanay.me/identities.html

It comes with some issues, namely that I suck at keeping it up to date and that not all identities I would like to list there have a way for me to provide proof beyond my word alone. For most use cases and attack vectors I consider this sufficient enough. Now this is outside most peoples' threat models, but Keybase also provides some mitigation against some other scenarios.

1) If nadyanay.me becomes compromised the imposter could update /identities.html with a new and fake list and I would need to update my link everywhere it is used or I would be pointing people to the imposter list. I have more faith in both (a) Keybase is less likely to be compromised and (b) in the event Keybase has become compromised someone will notice. Nobody would notice if my personal site was compromised, as even my closest friends don't regularly browse my website. It could honestly take weeks or even months to discover the file had been changed.

2) A person who compromises my account(s) must also have access to my private key in order to sign messages in my name. This is important because even if any of my accounts is compromised they're still unable to prove they are me if asked. This is something I actively practice with a few online friends of mine. We pretty regularly lend large sums of (virtual) game cash to one another worth in the range of $10,000-$15,000 USD if RWT'd. The last thing either of us would want is an imposter asking to borrow some money in-game from them and selling it off and so anytime we ask to borrow some in-game cash we ask to see a signed message. I admit that's the primary reason behind most of my signed messages...

3) Any attempts at creating a new key will allow users to see that my key has been revoked and replaced. Users who had signed my old key would need to re-verify with me that my new key is valid. Social engineering and people's casual use cases means the imposter would just claim to be me and most people would believe them. Few would bother verifying but it at least provides an additional opportunity for the imposter to be outed.

The obvious question is: "Isn't that what a domain is for?"

And the answer is a lot of the New Famous don't have domains to list canonical social media profiles on. They exist solely on silos like YouTube, Twitter, Facebook, and Instagram with no way to connect to their fanbase without it.

Or just picking one of the accounts as the master and linking the others there.

I think their goal is to do everything (or a large subset of things) Slack/Google Drive/GitHub can do, but with end-to-end encryption and easy discovery (look someone up no matter where on the internet you know them from).

The remote git repo feature is nice. But from what I understand, the primary use is to serve as proof of identity. They have other products like a chat app for individual or team use, file storage, PGP operations, and more. All e2e encrypted.

OP demonstrates how your Keybase network can offer E2E messaging on Mastadon, bootstrapped via Keybase.

I see Keybase as a secure address book, on top which secure applications can be built.

I trust them* more than slack. So I use it to send credentials for to fellow developers as well as files that I want to share with specific individuals.

*Maybe I shouldn't trust them more than Slack? But I know from experience with pen testers that a password in Slack causes all kinds of problems.

Do you have a PGP key? No, because it's a hassle. With Keybase it isn't anymore. You can sign stuff and encrypt stuff without telling people to install obscure software anymore.

It was meant to be a better PGP web-of-trust replacement.

i know a friend who just uses it to store and retrieve their private key for gpg

Keybase is certainly interesting. Is it possible to link up to your stackoverflow identity yet?

How are people using Keybase right now? I added several of my accounts but I'm especially interested in the GPG encryption/signing.

StackOverflow integration sounds really cool. Wish they added Discourse support as well - hard to prove I'm me on all of these Discourse instances.


Would be nice to add "extra" verification via Signal too, or Google Authenticator. Although GPG's public key, if already known, provides a good source for that.

Can someone explain Mastodon to me? Because I’m not really sure I “get” it.

As I understand it, I need to register for Mastodon at some server ``foo``, and with this one single registration I can also access other servers ``bar`` and ``baz`` and read what their members post, but I’m not able to post on those servers myself, only on my original ``foo`` server.

So what happens when ``foo`` goes under for whatever reason? Or what if the admins at ``foo`` decided to ban me from their server for whatever reason? Am I just shit out of luck now?

And what if my friends decide to join Mastodon some time later, but they all agree to join ``bar`` leaving me the odd person out? I think I’ve read somewhere that it’s not possible to relocate my ‘home server’?

Yes, you are right.

The entire ActivityPub concept is flawed, but not because you would be left alone in your server, it's the opposite: since you're interacting with your friends, your friends' server would then fetch all posts from your server and vice-versa, it will be as if there was just one server, but maintenance costs are now duplicated and the discovery process is not great also.

These problems are less problematic the smaller the servers are, which makes me think the best structure would be one in which each user is its own server and just syncs to temporary syncing hubs when possible -- or maybe sync directly to other online peers they know.

Oh, wait, that's what https://www.scuttlebutt.nz/ does!

(Disclaimer: I don't use Scuttlebutt nor Mastodon nor anything like that, and I really thought about Scuttlebutt in the middle of my comment, not before.)

Bug report: I just connected my Mastodon.social and Keybase profiles. On my Keybase profile, the "post" link next to my Mastodon.social profile link doesn't go directly to the proof post, but instead just links to my profile again.

I'm working on a web-based system that uses PGP key as identity.

How do I integrate with Keybase?

I'm not entirely sold on keybase.

Why would I want my online presence 100% identifiable and traceable back to me?

What is the appeal of this service exactly?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact