←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.209s | source
Show context
upofadown ◴[13 Nov 21 11:46 UTC] No.29209152[source]
>Here's why I like SSH signatures:

>* It's not PGP.

The most important reason people use the OpenPGP message format is because it is a well accepted standard. Sure the cryptography is not new and fun but it is secure. If you sign something with OpenPGP then you can be sure that those signatures are verifiable on any platform by anyone. The OpenPGP standard has provisions to ensure that the signatures are from a particular entity. This proposal suggests that Github could be treated as a trusted third party. If that is the case then you don't need signatures at all.

Obligatory "The PGP Problem" rebuttal:

* https://articles.59.ca/doku.php?id=pgpfan:tpp

replies(2): >>29210190 #>>29214489 #
geofft ◴[13 Nov 21 15:00 UTC] No.29210190[source]
> The OpenPGP standard has provisions to ensure that the signatures are from a particular entity.

No, it does not - it has provisions to ensure that the signatures are from a particular private key. Mapping that to a human-meaningful entity is beyond the scope of the OpenPGP specification.

The article you link does not really address that point, and it doesn't at all substantiate the claim that using GitHub as a trusted third party means you "don't need signatures at all".

(Also, the original post says that other means like key transparency can be used instead of trusting GitHub.)

replies(2): >>29210335 #>>29214555 #
zucker42 ◴[14 Nov 21 00:50 UTC] No.29214555[source]
Isn't the web of trust part of a PGP? That maps private keys to human-meaningful entities. Or is that not part of OpenPGP?
replies(2): >>29214842 #>>29214903 #
1. int_19h ◴[14 Nov 21 01:55 UTC] No.29214842[source]
The argument is that the whole "web of trust" thing never really took off, so you can't rely on it in practice.