May 26, 2026
Trust issues, but make it encrypted
Are we self-sovereign PKI yet?
Your “private” chats may still rely on blind trust — and commenters are fighting about it
TLDR: The article says private messaging still has a giant weak spot: people rarely verify who they’re actually talking to, so trust quietly shifts back to the app company. Commenters agreed that’s bad, then immediately fought over whether the fix would be unusable, creepy, or just another crypto squatter disaster.
The big uncomfortable truth in this piece? Your messages may be locked up tight, but most people still never check they’re talking to the right person. The article argues that apps like Signal, WhatsApp, iMessage, and others all offer ways to confirm identity — but almost nobody uses them, which means a lot of so-called privacy still depends on trusting the platform not to mess up, get hacked, or get pressured. Cue the comment section, where readers immediately turned this from a nerdy security essay into a full-blown identity crisis.
One camp was basically: great diagnosis, but good luck making normal humans deal with lost keys, recovery, and fake lookalike names. User lxgr summed up the chaos with a painfully relatable joke about confusing usernames and sketchy copycats, turning the whole debate into a “which is the real me?” farce. Another camp came in hot with the classic internet move: “Actually, this already exists,” complete with a GitHub SDK and a flex that felt very much like source: dude trust me, but cryptographically.
Then came the real drama: one commenter absolutely rejected the dream of one permanent identity key for life, calling it a government-tracked, corporate-monitored nightmare. Others rolled their eyes at anything smelling remotely blockchain-ish, immediately asking the only question the internet ever asks about new naming systems: how much does it cost, and will squatters ruin it by Tuesday? In other words, the community verdict is brutally clear: everyone agrees the current system is messy, but the proposed fixes sound either too hard, too creepy, or too crypto.
Key Points
- •The article says encrypted messaging apps such as Signal provide key-verification features, but most users do not use them, leaving trust in practice dependent on the platform distributing the correct keys.
- •It extends the same identity-binding problem to email and usernames, arguing that providers and platforms retain effective control over public identifiers.
- •As an example of provider control, the article cites Google handing a user’s account data to ICE in April 2026 and notes Gmail’s stricter DMARC enforcement since November 2025.
- •The article presents Keybase as an attempt to tie multiple platform identities to one cryptographic key, then notes its decline after Zoom’s 2020 acquisition and the shutdown of public hosting in 2023.
- •It argues that current web PKI is built for machines, not people, and remains vulnerable to DNS and BGP-based attacks despite mitigations such as Multi-Perspective Issuance Corroboration, while DANE was not adopted by browsers.