From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 123260 invoked by alias); 21 Feb 2020 15:20:22 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 123251 invoked by uid 89); 21 Feb 2020 15:20:22 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-5.2 required=5.0 tests=AWL,BAYES_00,FORGED_SPF_HELO,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=no version=3.3.1 spammy=our X-HELO: re-prd-fep-046.btinternet.com Received: from mailomta3-re.btinternet.com (HELO re-prd-fep-046.btinternet.com) (213.120.69.96) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 21 Feb 2020 15:20:20 +0000 Received: from re-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.54.4]) by re-prd-fep-046.btinternet.com with ESMTP id <20200221152018.TBVQ11384.re-prd-fep-046.btinternet.com@re-prd-rgout-001.btmx-prd.synchronoss.net> for ; Fri, 21 Feb 2020 15:20:18 +0000 Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=jonturney@btinternet.com X-OWM-Source-IP: 31.51.207.12 (GB) X-OWM-Env-Sender: jonturney@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean Received: from [192.168.1.106] (31.51.207.12) by re-prd-rgout-001.btmx-prd.synchronoss.net (5.8.340) (authenticated as jonturney@btinternet.com) id 5E3A147D0290DC03 for cygwin-apps@cygwin.com; Fri, 21 Feb 2020 15:20:18 +0000 Subject: Re: updated SSH key To: "cygwin-apps@cygwin.com" References: <6rnt4f17gk9m5vvobrjcs3q229fnhirdet@4ax.com> <36c88d41-549b-8bfc-7386-49ba40538e3f@dronecode.org.uk> From: Jon Turney Message-ID: <64565cb8-e8f4-ddb2-90f1-e4bbf4245b8c@dronecode.org.uk> Date: Fri, 21 Feb 2020 15:20:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2020-02/txt/msg00040.txt.bz2 On 20/02/2020 21:35, Schulman, Andrew via cygwin-apps wrote: > Thanks! > > I was just sitting here thinking about the merits of verifying a new > key request like that by some kind of secure signature system, versus > just posting the request on a public mailing list, and having a human > acknowledge to the developer's previously known email address. I have > to say, I can't see much more security benefit from the first method, > that would justify the extra hassle. The second method is pleasantly > simple. Yeah, it would be nice to have something like SSKM [1], but our gitolite usage is sufficiently non-standard that would need some hacking on to fit. And that doesn't help with initial keys, and people who've lost their key (who we're presumably going to trust an email from), so given the small number of keys we're dealing with, it's hard to see it's worth the effort. [1] https://gitolite.com/gitolite/contrib/sskm.html