Re: SSH Signatures & DIDs from Tom Jones on 2021-11-13 (public-did-wg@w3.org from November 2021)

From: Tom Jones <thomasclinganjones@gmail.com>
Date: Sat, 13 Nov 2021 12:18:34 -0800
To: Christopher Allen <ChristopherA@lifewithalacrity.com>
Cc: W3C DID Working Group <public-did-wg@w3.org>
Message-ID: <CAK2Cwb7KWcUQOpvhN8G9cbzf4ZjhbL1kfAgAv75GZK_1=PaK2A@mail.gmail.com>

One cannot move from the probably true statement
ssh is pre-installed in almost all systems today
to the probably false statement
ssh is available to most users today

I will remind everyone that every technology innovation that is added as a
requirement to a feature will decrease the percentage of the population
that can use the feature.

The UX around all SSI today is atrocious and I see little effort to improve
it.

My addition to the existing efforts would be sure to:
1. include inclusion as a principle to be met
2. include an inclusion impact statement in all evaluations of any feature
that is required for people to access any piece of society.

..tom


On Sat, Nov 13, 2021 at 10:11 AM Christopher Allen <
ChristopherA@lifewithalacrity.com> wrote:

> This looks interesting! I knew ssh-keygen had a signing option, but It
> looks like you can soon sign git commits with ssh too (rather than GPG).
> I’d not used it because I thought it might be subject to a cross-protocol
> attack, but it looks like this has been addressed.
>
> I’m also pleased they have signature name spaces (similar to proof purpose
> in DIDs) – lack of this is a common flaw in a number other signature
> schemes.
>
> What is also important to about this is that ssh is pre-installed in
> almost all systems today, so you don’t have to install anything to
> bootstrap file signing. This has always been a catch-22 when I’ve looked
> into securing a new system against install hijacking (e.g. curl | bash) &
> supply-chain attacks.
>
> https://www.agwa.name/blog/post/ssh_signatures
>
> Is anyone else doing anything with ssh keys & DIDs? I’ve lately been
> puzzling also on next draft of did:onion method (
> https://blockchaincommons.github.io/did-method-onion/ & implemented at
> https://github.com/BlockchainCommons/torgap-demo), and we have a solution
> for a “universal donor” 25519 key that can be transformed into both
> minisign & tor keys (https://github.com/BlockchainCommons/torgap-sig &
> https://github.com/BlockchainCommons/torgap-sig-cli-rust). I’ll have to
> see if there are any issues with leveraging ssh keys as well.
>
> — Christopher Allen [via iPhone]
>

Received on Saturday, 13 November 2021 20:20:00 UTC