@Gargron It's not a real GPG signature that GPG would recognise, it's keybase's equivalent. It's a crypto signature of your key + a proof that the user checked that all your proofs were valid IIRC.

@rx14 @Gargron If you follow someone you sign their current snapshot. If you then want to send an encrypted message to this account and something in their sigchain (gpg key, social media account etc) has changed you'll get a warning, letting you double check if this account is still owned by right person.

@fap @rx14 @Gargron Ooooh, right, and that signature can either be published or kept locally. So it's *kind* of an attestation. Sometimes. 🤔

@varx @rx14 @Gargron Now I'm confused, which signature can be kept locally?

@fap @rx14 OK now I'm checking https://keybase.io/docs/server_security/following to be sure. It looks like when you sign that snapshot of the other party's identity, you can choose to publish that signature up to keybase for other people to see.

« This is not a web of trust [but] more followers means more confidence in the age of [the other party's] account. »

@varx @rx14 yeah but following = publishing the signature, right?

@fap You can also follow privately (Just keep the signature in your computer's local store), which means you can see if their snapshot changes in the future, but other people don't benefit from that information.

@gargron @rx14 it isn't strictly GPG key signing, just a public, signed record that it seems like the user of that key also appears to be the user of the associated social media accounts.

@Gargron @rx14 I don't know that it's equivalent to keysigning, an attestation -- I'd say it's more of a trust-on-first-use (TOFU) operation so that if you use your GPG key later (or add another one), they can establish a chain of trust going back to that initial Follow.

@rx14 @Gargron (Or, I should say that if they *intend* for Follow to have any sort of implication of attestation of identity, they haven't communicated it very well...)