- From: Christopher Allen <ChristopherA@lifewithalacrity.com>
- Date: Fri, 13 Dec 2024 16:29:18 -0800
- To: Filip Kolarik <filip26@gmail.com>
- Cc: Aaron Goldman <goldmanaaron@gmail.com>, public-did-wg@w3.org
- Message-ID: <CACrqygD9x8dZfQ8bWiiD+yztCENrtZWmujU+Pa6tcXdzLJPSBQ@mail.gmail.com>
On Fri, Dec 13, 2024 at 3:24 PM Filip Kolarik <filip26@gmail.com> wrote: > I’d love to learn more about the differences between SSH and GPG/PGP > keys. I initially thought the key distinction lies in how they are > used. SSH for authentication and remote access, and GPG for encryption > and signing. > > From my perspective, in the context of expanding the decentralized > space, whether it's SSH or GPG doesn't matter much. > > You also made me realize that the GitHub API supports both SSH and GPG > keys associated with a user account. > > curl https://api.github.com/users/filip26/gpg_keys The key thing you need to know is that most security people now say that PGP/GPG should not be used for email. See: https://www.wired.com/story/efail-pgp-vulnerability-outlook-thunderbird-smime/ which highlights inherent issues with PGP, such as its age, complexity, and lack of forward secrecy, making it less suitable for modern secure communications. The main value of GPG in the last decade has been for file signing, as git has supported it for some time. For instance, Bitcoin has an elaborate GPG multiparty signing process of tagged releases. See the most SHA256SUMS files in the most recent tagged release at https://bitcoincore.org/bin/bitcoin-core-28.0/, and the process has become fairly arcane, see: https://coinguides.org/verify-bitcoin-core-signatures/ However, git introduced support for signing commits and tags with SSH keys in version 2.34.0 (November 15, 2021), leveraging OpenSSH's data-signing capabilities introduced in OpenSSH 8.0. GitHub began supporting SSH commit verification on August 23, 2022, followed by GitLab in version 15.7, released on December 22, 2022. These developments allow developers to use SSH keys for both authentication and commit signing, simplifying code authenticity verification. SSH also now offers support for many cryptosystems, including some that are quantum resistant. At Blockchain Commons, we currently use both SSH detached signatures for signing tagged releases of more security sensitive applications. For instance, see all the attached files in https://github.com/BlockchainCommons/GordianServer-macOS/releases/tag/v1.1.0. Our goal is to eventually have all of our tagged releases use a verifiable approach including not just apps but also all our libraries. On our roadmap in 2025 are better build tools to make this easier. I have two gists about Git and SSH signing. Note that I use gists for rough drafts, notes and lists, and they have not been reviewed. - SSH Keys Best Practices https://gist.github.com/ChristopherA/3d6a2f39c4b623a1a287b3fb7e0aa05b - Links regarding SSH Signing Best Practices: https://gist.github.com/ChristopherA/3d6a2f39c4b623a1a287b3fb7e0aa05b I have a bunch of other SSH related gists available at https://gist.github.com/search?q=user%3Achristophera+ssh -- Christopher Allen
Received on Saturday, 14 December 2024 00:29:59 UTC