←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 3 comments | 13 Nov 21 09:13 UTC | HN request time: 0s | source
Show context
rvdginste ◴[13 Nov 21 10:59 UTC] No.29208958[source]
Regarding PGP's 'Web of Trust', I thought the purpose of this was to validate the link between the key and the owner of that key. This is not what you get from retrieving a public key from github... that only gives you the link between that key and a github account. But what does that give you?

From what I understand, it gives you nothing for anything that is signed and that does not have a direct link to a github account. Obviously, if someone releases software on that github account and I find a signed release of that software, I can validate that it really was signed by the official source of that software on github. For anything that does not have that direct link, it really does not give you anything.

I've never used PGP, but I thought the web of trust was used to validate metadata on the key and that this can be used to validate that a key really belongs to the person that you think it belongs to. I saw it more like how you have SSL certificates with different degrees of validation and where you must deliver more proof of your identity if you want to receive a certification with a higher degree of validation.

I'm all for using SSH keys for signing, but I still would like to have something like PGP's web of trust for those keys.

replies(3): >>29209348 #>>29209424 #>>29210238 #
1. kenmacd ◴[13 Nov 21 12:38 UTC] No.29209348[source]
I agree, but I think it's pretty clear that web-of-trust has failed. There may be 6 or fewer degrees of separation between us, but the chance that there's a path of people that actually validate and sign keys isn't very high.

As an alternative keybase.io worked well. If you knew the person controlling the github account also controlled the mastodon/twitter where you talked to them, and the website/blog, etc, then you can be pretty sure it's them. (I saw mention of more open systems here too https://news.ycombinator.com/item?id=29132024).

> I'm all for using SSH keys for signing, but I still would like to have something like PGP's web of trust for those keys.

same here. I use my gpg key for ssh (stored on a yubikey). Seems like a better option to me.

replies(2): >>29214109 #>>29215129 #
2. notatoad ◴[13 Nov 21 23:31 UTC] No.29214109[source]
i think the main assumption that keybase makes is an important one: you don't need to link a key to a person, you need to link it to an identity. and a github page or a twitter account is an identity. the IRL identity of the person controlling that web identity can be considered out of scope.

if you do need to link a key to an actual non-digital person, then you've got a whole different set of problems.

3. GekkePrutser ◴[14 Nov 21 03:16 UTC] No.29215129[source]
The problem of gpg/PGP servers is that they never counted on the phenomenon of 'spammers'. I have not put my key in a public directory for at least 15 years now.