Care should always be taken when using an SSH client to connect to untrusted hosts. Make sure you’re not actually forwarding your SSH agent to the remote host, or they’ll be able to hijack your keys. Consider also that any output is processed by your terminal, and there have been a number of serious security bugs in terminal escape sequence handling in a variety of terminal emulators in the past.
I like SSH and people doing interesting things with it.
But this seems somewhat scary. Instead of having to trust where your private key is stored and that your SSH client is secure you now have to trust a potentially very juicy target.
Also I read the “why”, but don’t I get most of that by simply having my SSH key? And isn’t tying your email address to an SSH key and making that public kind of reducing your privacy? I know for most situations that doesn’t really matter, but objectively it does, no?
I assumed the main use of this kind of database would be to find the list of valid public keys for an email, but it doesn’t look like that’s hooked up. You can register and do nothing else? Very odd.
Care should always be taken when using an SSH client to connect to untrusted hosts. Make sure you’re not actually forwarding your SSH agent to the remote host, or they’ll be able to hijack your keys. Consider also that any output is processed by your terminal, and there have been a number of serious security bugs in terminal escape sequence handling in a variety of terminal emulators in the past.
I like SSH and people doing interesting things with it.
But this seems somewhat scary. Instead of having to trust where your private key is stored and that your SSH client is secure you now have to trust a potentially very juicy target.
Also I read the “why”, but don’t I get most of that by simply having my SSH key? And isn’t tying your email address to an SSH key and making that public kind of reducing your privacy? I know for most situations that doesn’t really matter, but objectively it does, no?
Maybe I am misunderstanding something though.
I assumed the main use of this kind of database would be to find the list of valid public keys for an email, but it doesn’t look like that’s hooked up. You can register and do nothing else? Very odd.