Hi, On 11/10/25 19:17, Simon Josefsson wrote:
Okay, I understand what you mean now -- although I suspect people promiting SSH signatures consider most of those properties a feature and not a bug.
Yes, so we should maybe question their motives?
Generally the convention seems to be that the user manages all key trust aspects. Doesn't github publish SSH keys for users? That's one public database. Expiration and revocation is handled by simply not using the key any more, and removing it from where you publish it.
I'm not sure delegating identity management to Microsoft is a winning strategy for free software.
The regressions in key management compared to PGP (no timestamp on revocation, no indication of revocation reason, no key update mechanism) mean that we'd essentially have to do an online query for every verification, and we need to treat every disappeared key as compromised.
Auth vs sig key separation can be handled by user too, just have two keys and use them in different contexts.
That is a major hassle though, because it needs to be explicitly configured. Simon
