SSH Signatures & DIDs from Christopher Allen on 2021-11-13 (public-did-wg@w3.org from November 2021)

From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Sat, 13 Nov 2021 10:09:01 -0800
To: W3C DID Working Group <public-did-wg@w3.org>
Message-ID: <CACrqygAo3qW-2dH_EnkY8+8oPuPSC-uaT8mStEAF988JXmZLQA@mail.gmail.com>

This looks interesting! I knew ssh-keygen had a signing option, but It
looks like you can soon sign git commits with ssh too (rather than GPG).
I’d not used it because I thought it might be subject to a cross-protocol
attack, but it looks like this has been addressed.

I’m also pleased they have signature name spaces (similar to proof purpose
in DIDs) – lack of this is a common flaw in a number other signature
schemes.

What is also important to about this is that ssh is pre-installed in almost
all systems today, so you don’t have to install anything to bootstrap file
signing. This has always been a catch-22 when I’ve looked into securing a
new system against install hijacking (e.g. curl | bash) & supply-chain
attacks.

https://www.agwa.name/blog/post/ssh_signatures

Is anyone else doing anything with ssh keys & DIDs? I’ve lately been
puzzling also on next draft of did:onion method (
https://blockchaincommons.github.io/did-method-onion/ & implemented at
https://github.com/BlockchainCommons/torgap-demo), and we have a solution
for a “universal donor” 25519 key that can be transformed into both
minisign & tor keys (https://github.com/BlockchainCommons/torgap-sig &
https://github.com/BlockchainCommons/torgap-sig-cli-rust). I’ll have to see
if there are any issues with leveraging ssh keys as well.

— Christopher Allen [via iPhone]

Received on Saturday, 13 November 2021 18:10:26 UTC