In the case of Debifi, there are several parties involved + the key generation/distribution code is open source. Code can be always modified, so the best approach is code + trusted (legit) party.