updated SSH key

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

updated SSH key

cygwin-apps mailing list
Name: Andrew Schulman
Package: screen
---- BEGIN SSH2 PUBLIC KEY ----
AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIh5WtQRqhzLyhiCds
BhExlJjXY+NeKxt7tp3l4ViEOwGAPmiMp9keikNzVrpBy2poorumkZDCJrCxx3855UxdnV
E51GAO7toxiCMM8BNHX3fnDj6rgydpjCNRStBQUqWQ==
---- END SSH2 PUBLIC KEY ----

Reply | Threaded
Open this post in threaded view
|

Re: updated SSH key

Jon TURNEY
On 20/02/2020 19:37, Andrew Schulman via cygwin-apps wrote:
> Name: Andrew Schulman

Done.
Reply | Threaded
Open this post in threaded view
|

RE: updated SSH key

cygwin-apps mailing list
Thanks!

I was just sitting here thinking about the merits of verifying a new key request like that by some kind of secure signature system, versus just posting the request on a public mailing list, and having a human acknowledge to the developer's previously known email address. I have to say, I can't see much more security benefit from the first method, that would justify the extra hassle. The second method is pleasantly simple.

Andrew E. Schulman
Office of Compliance
U.S. Environmental Protection Agency
202-564-5244

-----Original Message-----
From: Jon Turney <[hidden email]>
Sent: Thursday, February 20, 2020 4:32 PM
To: [hidden email]
Cc: Schulman, Andrew <[hidden email]>
Subject: Re: updated SSH key

On 20/02/2020 19:37, Andrew Schulman via cygwin-apps wrote:
> Name: Andrew Schulman

Done.
Reply | Threaded
Open this post in threaded view
|

Re: updated SSH key

Jon TURNEY
On 20/02/2020 21:35, Schulman, Andrew via cygwin-apps wrote:
> Thanks!
>
> I was just sitting here thinking about the merits of verifying a new
> key request like that by some kind of secure signature system, versus
> just posting the request on a public mailing list, and having a human
> acknowledge to the developer's previously known email address. I have
> to say, I can't see much more security benefit from the first method,
> that would justify the extra hassle. The second method is pleasantly
> simple.

Yeah, it would be nice to have something like SSKM [1], but our gitolite
usage is sufficiently non-standard that would need some hacking on to fit.

And that doesn't help with initial keys, and people who've lost their
key (who we're presumably going to trust an email from), so given the
small number of keys we're dealing with, it's hard to see it's worth the
effort.

[1] https://gitolite.com/gitolite/contrib/sskm.html