←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 6 comments | 13 Nov 21 09:13 UTC | HN request time: 0.448s | source | bottom
1. rvdginste ◴[13 Nov 21 10:59 UTC] No.29208958[source]
Regarding PGP's 'Web of Trust', I thought the purpose of this was to validate the link between the key and the owner of that key. This is not what you get from retrieving a public key from github... that only gives you the link between that key and a github account. But what does that give you?

From what I understand, it gives you nothing for anything that is signed and that does not have a direct link to a github account. Obviously, if someone releases software on that github account and I find a signed release of that software, I can validate that it really was signed by the official source of that software on github. For anything that does not have that direct link, it really does not give you anything.

I've never used PGP, but I thought the web of trust was used to validate metadata on the key and that this can be used to validate that a key really belongs to the person that you think it belongs to. I saw it more like how you have SSL certificates with different degrees of validation and where you must deliver more proof of your identity if you want to receive a certification with a higher degree of validation.

I'm all for using SSH keys for signing, but I still would like to have something like PGP's web of trust for those keys.

replies(3): >>29209348 #>>29209424 #>>29210238 #
2. kenmacd ◴[13 Nov 21 12:38 UTC] No.29209348[source]
I agree, but I think it's pretty clear that web-of-trust has failed. There may be 6 or fewer degrees of separation between us, but the chance that there's a path of people that actually validate and sign keys isn't very high.

As an alternative keybase.io worked well. If you knew the person controlling the github account also controlled the mastodon/twitter where you talked to them, and the website/blog, etc, then you can be pretty sure it's them. (I saw mention of more open systems here too https://news.ycombinator.com/item?id=29132024).

> I'm all for using SSH keys for signing, but I still would like to have something like PGP's web of trust for those keys.

same here. I use my gpg key for ssh (stored on a yubikey). Seems like a better option to me.

replies(2): >>29214109 #>>29215129 #
3. southerntofu ◴[13 Nov 21 12:57 UTC] No.29209424[source]
Chances are you're already using SSH keys for SSH authentication, whether for your own machines or as part of a Pubnix/tilde server [0]. That can prove useful for signing data in a server-to-server model (eg. to advertise vhosts to mirror or provide secondary NS/MX for) or identifying users on a less-secure channel (eg. SSH-sign a JSON HTTP request).

When you think about it, SSH keys are used as identifiers (just like PGP keys) so there's no reason not to use them as such. But as you pointed out, SSH doesn't have a WoT yet so we rely on trusted 3rd parties to discover keys (so far).

[0] https://tildeverse.org

4. geofft ◴[13 Nov 21 15:07 UTC] No.29210238[source]
In a very practical sense, I (the human writing this comment) pay close attention to the security of my GitHub account and to what SSH keys are added, because I use it regularly and care about the security of my account. I also care about the security of all my client devices that can push to GitHub, and in fact a few of my devices cannot push to GitHub (they have to route through a device I am more careful with). If you have a link to my GitHub account, you have a very high confidence that you have a link to me the human.

Meanwhile, I've been to multiple PGP key-signing parties and organized one or two myself, and the quality of the link is always very low. At one Ubuntu Developer Summit (a community that heavily relies on the Web of Trust), the person organizing the party wanted us to verify short key IDs. I refused, and set up my own list of full fingerprints that I distributed to participants, and earned the ire of the organizer. At one DebConf (another community that heavily relies on the Web of Trust), I saw at least one driver's license from another country that was of such quality that it could be easily reproduced by any fake ID shop for college kids. There may have been features on it to verify its authenticity; I certainly did not what I should be looking for, and I doubt others did. I don't remember if I signed the key in the end. I think I did. I expect others did.

So, if you find a signature on the Web of Trust for my key, what does that give you? What confidence do you have that the person signing it actually verified it was me?

5. notatoad ◴[13 Nov 21 23:31 UTC] No.29214109[source]
i think the main assumption that keybase makes is an important one: you don't need to link a key to a person, you need to link it to an identity. and a github page or a twitter account is an identity. the IRL identity of the person controlling that web identity can be considered out of scope.

if you do need to link a key to an actual non-digital person, then you've got a whole different set of problems.

6. GekkePrutser ◴[14 Nov 21 03:16 UTC] No.29215129[source]
The problem of gpg/PGP servers is that they never counted on the phenomenon of 'spammers'. I have not put my key in a public directory for at least 15 years now.