- From: Wayne Chang <wayne@spruceid.com>
- Date: Sat, 13 Nov 2021 18:20:17 +0000
- To: Christopher Allen <ChristopherA@lifewithalacrity.com>
- Cc: W3C DID Working Group <public-did-wg@w3.org>
- Message-ID: <CAFTzAXjPpWoyD_8AdB-du+sw+f-j12gNr8JFif_+YWPqqJ-Nog@mail.gmail.com>
We’re trying to take advantage of this with did-webkey: https://github.com/spruceid/ssi/issues/176 Co-authors welcome!! On Sat, Nov 13, 2021 at 18:11 Christopher Allen < ChristopherA@lifewithalacrity.com> wrote: > This looks interesting! I knew ssh-keygen had a signing option, but It > looks like you can soon sign git commits with ssh too (rather than GPG). > I’d not used it because I thought it might be subject to a cross-protocol > attack, but it looks like this has been addressed. > > I’m also pleased they have signature name spaces (similar to proof purpose > in DIDs) – lack of this is a common flaw in a number other signature > schemes. > > What is also important to about this is that ssh is pre-installed in > almost all systems today, so you don’t have to install anything to > bootstrap file signing. This has always been a catch-22 when I’ve looked > into securing a new system against install hijacking (e.g. curl | bash) & > supply-chain attacks. > > https://www.agwa.name/blog/post/ssh_signatures > > Is anyone else doing anything with ssh keys & DIDs? I’ve lately been > puzzling also on next draft of did:onion method ( > https://blockchaincommons.github.io/did-method-onion/ & implemented at > https://github.com/BlockchainCommons/torgap-demo), and we have a solution > for a “universal donor” 25519 key that can be transformed into both > minisign & tor keys (https://github.com/BlockchainCommons/torgap-sig & > https://github.com/BlockchainCommons/torgap-sig-cli-rust). I’ll have to > see if there are any issues with leveraging ssh keys as well. > > — Christopher Allen [via iPhone] >
Received on Saturday, 13 November 2021 18:27:40 UTC