[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does d/watch work for commits signed via ssh?

Hi,

On 11/10/25 19:17, Simon Josefsson wrote:


Okay, I understand what you mean now -- although I suspect people
promiting SSH signatures consider most of those properties a feature and
not a bug.


Yes, so we should maybe question their motives?


Generally the convention seems to be that the user manages all key trust
aspects.  Doesn't github publish SSH keys for users?  That's one public
database.  Expiration and revocation is handled by simply not using the
key any more, and removing it from where you publish it.
I'm not sure delegating identity management to Microsoft is a winning strategy for free software.
The regressions in key management compared to PGP (no timestamp on revocation, no indication of revocation reason, no key update mechanism) mean that we'd essentially have to do an online query for every verification, and we need to treat every disappeared key as compromised. 


Auth vs sig
key separation can be handled by user too, just have two keys and use
them in different contexts.


That is a major hassle though, because it needs to be explicitly configured.

   Simon
Reply to: