the safest form of messaging I have is Signal, but the whole point of the safety number is to verify that the person you’re talking to on Signal is really that person, so I can’t send my safety number through Signal. any other option I have, the data is going to be harvested by somebody.
how do you all do it if you don’t have physical contact with your Signal people?
The safety number is not part of the encryption. It just says: this person is who they say they are. So as long as you can trust that the number actually came from that person, it’s fine. Afaik, the number is derived from the encryption keys, so it can’t be faked, but I would verify that if you’re unsure.
Edit: was curious, here’s the blog post that introduced them: https://signal.org/blog/safety-number-updates/ Essentially, it’s a hash of the public key, so safe to broadcast, similar the HTTPS certificates employed on the web. They even say so: “the share button on the safety number screen and selecting FB, Twitter, email, etc to send the safety number to your contact.”
but if somebody else got my safety key for some other person, what could they do with it?
Nothing, it can’t be used for anything else. You can’t reverse the encryption keys from it. Its like adding all the digits in your phone number and giving that out. People with your phone number can verify it, but to everyone else, its basically useless.