←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.208s | source
Show context
rvdginste ◴[13 Nov 21 10:59 UTC] No.29208958[source]
Regarding PGP's 'Web of Trust', I thought the purpose of this was to validate the link between the key and the owner of that key. This is not what you get from retrieving a public key from github... that only gives you the link between that key and a github account. But what does that give you?

From what I understand, it gives you nothing for anything that is signed and that does not have a direct link to a github account. Obviously, if someone releases software on that github account and I find a signed release of that software, I can validate that it really was signed by the official source of that software on github. For anything that does not have that direct link, it really does not give you anything.

I've never used PGP, but I thought the web of trust was used to validate metadata on the key and that this can be used to validate that a key really belongs to the person that you think it belongs to. I saw it more like how you have SSL certificates with different degrees of validation and where you must deliver more proof of your identity if you want to receive a certification with a higher degree of validation.

I'm all for using SSH keys for signing, but I still would like to have something like PGP's web of trust for those keys.

replies(3): >>29209348 #>>29209424 #>>29210238 #
1. geofft ◴[13 Nov 21 15:07 UTC] No.29210238[source]
In a very practical sense, I (the human writing this comment) pay close attention to the security of my GitHub account and to what SSH keys are added, because I use it regularly and care about the security of my account. I also care about the security of all my client devices that can push to GitHub, and in fact a few of my devices cannot push to GitHub (they have to route through a device I am more careful with). If you have a link to my GitHub account, you have a very high confidence that you have a link to me the human.

Meanwhile, I've been to multiple PGP key-signing parties and organized one or two myself, and the quality of the link is always very low. At one Ubuntu Developer Summit (a community that heavily relies on the Web of Trust), the person organizing the party wanted us to verify short key IDs. I refused, and set up my own list of full fingerprints that I distributed to participants, and earned the ire of the organizer. At one DebConf (another community that heavily relies on the Web of Trust), I saw at least one driver's license from another country that was of such quality that it could be easily reproduced by any fake ID shop for college kids. There may have been features on it to verify its authenticity; I certainly did not what I should be looking for, and I doubt others did. I don't remember if I signed the key in the end. I think I did. I expect others did.

So, if you find a signature on the Web of Trust for my key, what does that give you? What confidence do you have that the person signing it actually verified it was me?