So I know that a key claiming to belong to John Brooks has signed the #Ricochet zip file, which, yay, I guess.

Doesn't tell me much beyond that, though, since I never contacted this John Brooks guy before and so I never had the chance to check his key and sign it.

So, really, this could have been anybody.

I could now to the #WoT thing and download all the keys signature keys and all keys that signed those keys and so on, until I find a valid trust path from them to me.

This is both a PITA and somewhat unlikely, since I haven't signed a lot of keys. (I have been to a signing party or two before, but, you know. ¯\_(ツ)_/¯ )

Out of interest, I figured I'd try #keybase and see what happened there.

A slightly convoluted command later, I got this: https://mastodon.social/media/YfxpTBmDOe_sTjbRV6o

So now I know that this files was signed by a key that is controlled by the Keybase user called "special" at this or that date.

After running "keybase id special", I also know that whoever controls that key also controlled the Twitter account "jbrooks" and the Github account "special".

Checking up on those two, I learn that the GH account "special" works on Ricochet (So yay! My signature seems much more trustworthy now.) and that jbrooks follows Jacob Appelbaum on Twitter. (Uuuugh. 😩 )

(The last one is not terribly surprising, what with Ricochet being Torbased and all, but still... Ugh.)

So, yay for Keybase, I guess. Tying multiple accounts into cryptographic identity makes a whole lot of sense and seems much more workable than the #WebOfTrust. I mean, I still like the idea, but, well, nice ideas don't always work in all cases and areas.

And I mean, Keybase has issues, but still, I was pleasantly surprised in this case. :)