←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0.226s | source
Show context
dane-pgp ◴[13 Nov 21 09:55 UTC] No.29208701[source]
> GitHub acts as a trusted third party here, and you have to trust them not to lie about people's public keys, so it may not be appropriate for all use cases. But relying on a trusted third party with a professional security team like GitHub seems like a way better default than PGP's Web of Trust, which was nigh impossible to use.

Hopefully that's a false dichotomy and the entire Free Software community doesn't end up reliant on Microsoft to host all our keys for us. The article goes on to mention key transparency, though, which does seem like the right solution.

I note that rekor (the transparency log implementation used by sigstore) already supports signing with SSH keys[0], so this TechRepublic article about it[1] from March (which lists only "GPG, x509 and Minisign") is already out of date.

[0] https://github.com/sigstore/rekor/blob/main/types.md#ssh

[1] https://www.techrepublic.com/article/a-new-linux-foundation-...

replies(2): >>29208803 #>>29208944 #
bawolff ◴[13 Nov 21 10:56 UTC] No.29208944[source]
Its not like anyone has ever really come up with a good solution to key distribution. You either trust a central authority (pki), deal with the mess that is web of trust, or blindly trust your first connection and verify the person hasn't changed (tofu).

Honestly it kind of reminds me of the problem of defining "Truth" (in a philosophical sense)

All options are sucky in their own way.

replies(3): >>29213437 #>>29215340 #>>29232066 #
1. Anunayj ◴[15 Nov 21 20:10 UTC] No.29232066[source]
I really liked how keybase [1] approached this issue, their methodology involves generating keys on the client and making it post "proofs" on whatever social media(s) you use. This gives a my identity -> My key relation, and their client (which is open sourced) would verify these proofs clientside. So it's a server aided but still trustless.

Unfortunately the development seems to have ceased after zoom acquired them.

[1] https://keybase.io/