←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 7 comments | 13 Nov 21 09:13 UTC | HN request time: 1.839s | source | bottom
1. dandanua ◴[13 Nov 21 10:29 UTC] No.29208838[source]
This is awesome and should be more widespread.

I always feel embarrassed when I see government systems that use digital signatures infrastructure. Usually, a government website has their own web application through which you input your private key and your password. Sure, usually those applications use standard libraries that do computations locally. But how do I know this? If such a website is hacked – my private key will be exposed.

replies(2): >>29208941 #>>29209028 #
2. numair ◴[13 Nov 21 10:56 UTC] No.29208941[source]
> web application through which you input your private key and your password

Sorry, what? Can you point me to some examples, because this sounds so crazy. Why would you ever upload your private key to a server? Sounds like security theatre to me...

replies(1): >>29208995 #
3. dandanua ◴[13 Nov 21 11:10 UTC] No.29208995[source]
The verification is local (through javascript, nowadays). But you can't know this if you're not a hacker that can check it. It's widespread in Ukraine, and I assumed it's similar in other countries.

I mean hackers could change the code of the website so that private keys will be uploaded without noticing by users.

replies(1): >>29209135 #
4. Hendrikto ◴[13 Nov 21 11:17 UTC] No.29209028[source]
That‘s why you generate a new key pair for every service.
replies(1): >>29209089 #
5. dandanua ◴[13 Nov 21 11:32 UTC] No.29209089[source]
I'm talking about keys that have certificates issued by authorized centers. Those keys have legal power. Also obtaining a certificate costs a fee.
6. numair ◴[13 Nov 21 11:41 UTC] No.29209135{3}[source]
Ahh yes, now that I think about it, I’ve seen this sort of implementation before:

1. Government forces you to jump through hoops with some collection of favored — sorry, I meant “authorized” — vendors who can issue you a certificate for $WTF (either paid directly or through your taxes...).

2. You are provided with the private key in some manner. Hopefully not in your email, but that’s often what happens.

3. Whenever you want to validate yourself to the service, the government website then has you upload that private key to use in their own homemade implementation of JavaScript PKI. Sometimes they actually take the key from you and send it to their server to do the work.

... I think we are both in agreement that this is pretty lousy. And if you’re seeing it in Ukraine, it’s a world-wide “security” model. Maybe someone else here on HN can explain the thinking that went into these sorts of implementations...

replies(1): >>29209946 #
7. pastage ◴[13 Nov 21 14:26 UTC] No.29209946{4}[source]
Where else are you seeing this, say what you want about digital signatures but I have not seen this. I guess javascript PKI is a thing though, and that will end badly with soft tokens.