A major problem with doing this is that you have to worry about cross-protocol a... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		agwa on Nov 13, 2021 \| parent \| context \| favorite \| on: Sign arbitrary data with your SSH keys A major problem with doing this is that you have to worry about cross-protocol attacks because there is no namespace parameter like there is with SSH signatures. SSH signatures provide the necessary structure to safely use a single key for multiple purposes.

chasil on Nov 13, 2021 [–]

It's true, I do remember the DROWN exploit relying upon keys presented over differing protocols.

It doesn't take long to generate an RSA key, though. A dedicated signing key would seem to be the obvious thing to do.

https://en.wikipedia.org/wiki/DROWN_attack

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact