←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.22s | source
Show context
rvdginste ◴[13 Nov 21 10:59 UTC] No.29208958[source]
Regarding PGP's 'Web of Trust', I thought the purpose of this was to validate the link between the key and the owner of that key. This is not what you get from retrieving a public key from github... that only gives you the link between that key and a github account. But what does that give you?

From what I understand, it gives you nothing for anything that is signed and that does not have a direct link to a github account. Obviously, if someone releases software on that github account and I find a signed release of that software, I can validate that it really was signed by the official source of that software on github. For anything that does not have that direct link, it really does not give you anything.

I've never used PGP, but I thought the web of trust was used to validate metadata on the key and that this can be used to validate that a key really belongs to the person that you think it belongs to. I saw it more like how you have SSL certificates with different degrees of validation and where you must deliver more proof of your identity if you want to receive a certification with a higher degree of validation.

I'm all for using SSH keys for signing, but I still would like to have something like PGP's web of trust for those keys.

replies(3): >>29209348 #>>29209424 #>>29210238 #
1. southerntofu ◴[13 Nov 21 12:57 UTC] No.29209424[source]
Chances are you're already using SSH keys for SSH authentication, whether for your own machines or as part of a Pubnix/tilde server [0]. That can prove useful for signing data in a server-to-server model (eg. to advertise vhosts to mirror or provide secondary NS/MX for) or identifying users on a less-secure channel (eg. SSH-sign a JSON HTTP request).

When you think about it, SSH keys are used as identifiers (just like PGP keys) so there's no reason not to use them as such. But as you pointed out, SSH doesn't have a WoT yet so we rely on trusted 3rd parties to discover keys (so far).

[0] https://tildeverse.org