Add note on ssh commit signing vs OpenPGP
This commit is contained in:
parent
873c027341
commit
5c51419ce6
1 changed files with 37 additions and 0 deletions
37
notes/ssh-signing.md
Normal file
37
notes/ssh-signing.md
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
title: Why is it better to sign commits with SSH than OpenPGP?
|
||||
author: "Florian Maury"
|
||||
slug: ssh-vs-openpgp-signing
|
||||
date: 2022-05-26T11:00:00Z
|
||||
---
|
||||
|
||||
The OpenPGP format was designed in the 90's and never really changed since
|
||||
then. It was documented in
|
||||
[RFC4880](https://datatracker.ietf.org/doc/html/rfc4880) in 2008.
|
||||
Unfortunately, in the 90's, people had really no good understanding of crypto
|
||||
yet, and the choices made were poor. Envelope design is poor. Some crypto
|
||||
algorithms are clearly outdated. Some default options are plain wrong.
|
||||
|
||||
Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG?
|
||||
That's not a surprise: it's a popular crypto solution and it's a relatively
|
||||
easy target, comparatively to some other mainstream crypto implementations. The
|
||||
Go langage maintainers even deprecated the OpenPGP implementation in their
|
||||
crypto standard library because they think [OpenPGP is
|
||||
*dangerous*](https://github.com/golang/go/issues/44226).
|
||||
|
||||
> OpenPGP is incompatible with [Go Cryptography
|
||||
> Principles](https://golang.org/design/cryptography-principles),
|
||||
it's complex, fragile, and unsafe, and using it exposes applications to a
|
||||
dangerous ecosystem.
|
||||
|
||||
Basically, I would say that the only thing that OpenPGP has for itself is the
|
||||
deployed infrastructure. Or has it? Web of trust is mostly dead, since
|
||||
keyservers are out-of-service. And OpenPGP adoption was never really that high
|
||||
to begin with.
|
||||
|
||||
SSH keys are much more widely deployed and used than OpenPGP keys. The format
|
||||
is dead simple, and the crypto implementation from OpenSSH is up-to-date.
|
||||
|
||||
I am very happy that git made SSH signing possible; it means I can delete my
|
||||
OpenPGP keys for good. I just hope linux distros will make the switch soon, to
|
||||
a more modern crypto approach: ssh signing or minisign.
|
Loading…
Reference in a new issue