In this case, client = server. If your computer is compromised then they can get access to both private and public keys of 1Password and 1Password Mini.
It also doesn't prevent MITM unless both the client & server. Nothing stops you from presenting a fake public key pair between the communication
How doe TLS work then? Because public keys are signed by central authorities. Who do we know what to trust? Browsers and OSes have default list of certificate authorities to trust. How do we know that we can trust them? Technically they should be communicated outside the internet. If the version of Chrome you download is compromised with a rogue certificate authority (ex: SuperFish) then you're hosed.
It's turtles all the way. Unless keys are communicated securely somehow you cannot guarantee secure communication.
It also doesn't prevent MITM unless both the client & server. Nothing stops you from presenting a fake public key pair between the communication
How doe TLS work then? Because public keys are signed by central authorities. Who do we know what to trust? Browsers and OSes have default list of certificate authorities to trust. How do we know that we can trust them? Technically they should be communicated outside the internet. If the version of Chrome you download is compromised with a rogue certificate authority (ex: SuperFish) then you're hosed.
It's turtles all the way. Unless keys are communicated securely somehow you cannot guarantee secure communication.