Add note on ssh commit signing vs OpenPGP
This commit is contained in:
parent
873c027341
commit
5c51419ce6
1 changed files with 37 additions and 0 deletions
37
notes/ssh-signing.md
Normal file
37
notes/ssh-signing.md
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
title: Why is it better to sign commits with SSH than OpenPGP?
|
||||||
|
author: "Florian Maury"
|
||||||
|
slug: ssh-vs-openpgp-signing
|
||||||
|
date: 2022-05-26T11:00:00Z
|
||||||
|
---
|
||||||
|
|
||||||
|
The OpenPGP format was designed in the 90's and never really changed since
|
||||||
|
then. It was documented in
|
||||||
|
[RFC4880](https://datatracker.ietf.org/doc/html/rfc4880) in 2008.
|
||||||
|
Unfortunately, in the 90's, people had really no good understanding of crypto
|
||||||
|
yet, and the choices made were poor. Envelope design is poor. Some crypto
|
||||||
|
algorithms are clearly outdated. Some default options are plain wrong.
|
||||||
|
|
||||||
|
Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG?
|
||||||
|
That's not a surprise: it's a popular crypto solution and it's a relatively
|
||||||
|
easy target, comparatively to some other mainstream crypto implementations. The
|
||||||
|
Go langage maintainers even deprecated the OpenPGP implementation in their
|
||||||
|
crypto standard library because they think [OpenPGP is
|
||||||
|
*dangerous*](https://github.com/golang/go/issues/44226).
|
||||||
|
|
||||||
|
> OpenPGP is incompatible with [Go Cryptography
|
||||||
|
> Principles](https://golang.org/design/cryptography-principles),
|
||||||
|
it's complex, fragile, and unsafe, and using it exposes applications to a
|
||||||
|
dangerous ecosystem.
|
||||||
|
|
||||||
|
Basically, I would say that the only thing that OpenPGP has for itself is the
|
||||||
|
deployed infrastructure. Or has it? Web of trust is mostly dead, since
|
||||||
|
keyservers are out-of-service. And OpenPGP adoption was never really that high
|
||||||
|
to begin with.
|
||||||
|
|
||||||
|
SSH keys are much more widely deployed and used than OpenPGP keys. The format
|
||||||
|
is dead simple, and the crypto implementation from OpenSSH is up-to-date.
|
||||||
|
|
||||||
|
I am very happy that git made SSH signing possible; it means I can delete my
|
||||||
|
OpenPGP keys for good. I just hope linux distros will make the switch soon, to
|
||||||
|
a more modern crypto approach: ssh signing or minisign.
|
Loading…
Reference in a new issue