←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.335s | source
Show context
upofadown ◴[13 Nov 21 11:46 UTC] No.29209152[source]
>Here's why I like SSH signatures:

>* It's not PGP.

The most important reason people use the OpenPGP message format is because it is a well accepted standard. Sure the cryptography is not new and fun but it is secure. If you sign something with OpenPGP then you can be sure that those signatures are verifiable on any platform by anyone. The OpenPGP standard has provisions to ensure that the signatures are from a particular entity. This proposal suggests that Github could be treated as a trusted third party. If that is the case then you don't need signatures at all.

Obligatory "The PGP Problem" rebuttal:

* https://articles.59.ca/doku.php?id=pgpfan:tpp

replies(2): >>29210190 #>>29214489 #
tptacek ◴[14 Nov 21 00:40 UTC] No.29214489[source]
As people can discover from the search bar on this site, your argument against that blog post (which I co-wrote) includes the notion that authenticated encryption is bad, because unauthenticated encryption creates opportunities for data recovery. Restating for the record: I agree in part; where we part company is that I think creating opportunities for data recovery for adversaries is a bad idea.

At any rate: this comment thread is about signing with SSH keys, not your idiosyncratic response to my blog post.

replies(2): >>29214953 #>>29215036 #
1. upofadown ◴[14 Nov 21 02:48 UTC] No.29215036[source]
I think you are referring to my comparison of age vs gpg[1]. That in no way indicates that I have anything against authenticated encryption. I just point out that age has no data recovery utility.

BTW, when used in a normal way, an offline capable, stateless system as embodied in the OpenPGP message standard uses signatures to provide integrity protection[2]. Which might bring us a bit closer to the matter at hand I suppose.

[1] https://articles.59.ca/doku.php?id=pgpfan:agevspgp

[2] https://articles.59.ca/doku.php?id=pgpfan:authenticated