[matthewaveryusa]

You potentially send all your key IDs (ie public keys) your agent has. there are command line options to force your ssh not to use your agent in which case, barred any bugs in the ssh client, it’s like browsing to a domain in your browser.

[jdavis703]

This is the first time I’ve heard someone say sharing public keys is a security risk. Can you explain the threat model here?

[wtetzner]

I think it’s more of a privacy leak. E.g., the service could potentially figure out who you are if your public keys are tied to some other service, like GitHub.

[ragona]

If you ever manage to leak a private key it’s easier to track it back to you. There was a recent paper showing the ability to tie rather a lot of keys to the associated developers.

[lenkite]

Would be easy to contact other web services and determine the identity marching a public key.