Sign arbitrary data with your SSH keys

(www.agwa.name)

637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.213s | source

Show context

upofadown ◴[13 Nov 21 11:46 UTC] No.29209152[source]▶

>>29208518 (OP) #

>Here's why I like SSH signatures:

>* It's not PGP.

The most important reason people use the OpenPGP message format is because it is a well accepted standard. Sure the cryptography is not new and fun but it is secure. If you sign something with OpenPGP then you can be sure that those signatures are verifiable on any platform by anyone. The OpenPGP standard has provisions to ensure that the signatures are from a particular entity. This proposal suggests that Github could be treated as a trusted third party. If that is the case then you don't need signatures at all.

Obligatory "The PGP Problem" rebuttal:

* https://articles.59.ca/doku.php?id=pgpfan:tpp

replies(2): >>29210190 #>>29214489 #

geofft ◴[13 Nov 21 15:00 UTC] No.29210190[source]▶

>>29209152 #

> The OpenPGP standard has provisions to ensure that the signatures are from a particular entity.

No, it does not - it has provisions to ensure that the signatures are from a particular private key. Mapping that to a human-meaningful entity is beyond the scope of the OpenPGP specification.

The article you link does not really address that point, and it doesn't at all substantiate the claim that using GitHub as a trusted third party means you "don't need signatures at all".

(Also, the original post says that other means like key transparency can be used instead of trusting GitHub.)

replies(2): >>29210335 #>>29214555 #

1. shp0ngle ◴[13 Nov 21 15:21 UTC] No.29210335[source]▶

>>29210190 #

Well, if you trust github enough for the keys, you can just download and distribute the arbitrary data through github itself. I guess that is what he was referring to.

↑