←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.312s | source
Show context
lucb1e ◴[13 Nov 21 15:52 UTC] No.29210591[source]
> SSH public keys are one line strings that are easy to copy around. You don't need to use the Web of Trust

PGP public keys you can also just copy around? Nobody is forcing you to use the web of trust with PGP either, if you don't want it. But if you do use keys extensively, it actually helps you: if your boss already verified a customer key, you don't have to re-do the work and meet up in person or ask your boss to send it over before you can use it. Now extend that to a whole network of colleagues, where you configure per-colleague whether you think they properly verify other people's keys, and this whole key distribution problem becomes a lot easier without having to rely on third parties (CA system like with https).

Just a small note, this obviously doesn't invalidate the rest of the article!

replies(1): >>29210773 #
1. kzrdude ◴[13 Nov 21 16:12 UTC] No.29210773[source]
On the other hand, it's very easy to "leak" keys into keyservers by one mistaken command with GPG.

Maybe you have backup signing keys or whatever secret project encryption keys - and you would prefer for privacy and obscurity that the "public" halves are not distributed on keyservers.

In this sense, I think GPG continues the culture of a more naive and smaller internet by thinking that most keys want to have their public part online.