[EduardoRT]

Not a big deal at all considering that they're public keys, there's no security concern there.

Feels weird, but it's like going into a building that requires a badge and showing proof that you actually own several keys, then the building guard telling you he needs X key to enter since that's the one they know, and it's authorized.

All your public keys in your GitHub account are accessible through a link, just <github.com/<username>.keys>

[magnat]

> Not a big deal at all considering that they're public keys, there's no security concern there.

I might be pushing the analogy too far, but: all the URLs I have visited are public and are not identifying me personally, yet uploading them all together to a third party feels like a breach of privacy.

[jonnycomputer]

There is a privacy concern. And that might end up being a security concern depending on the threat model (e.g. social engineering attacks).

[EduardoRT]

So, you'd ask someone to SSH into a server, and you'll get some of his public keys (I think the default limit is 5 keys), what would you do with that? You can also just go to their GitHub profile and fetch the keys or ask them to send you their public keys, they're meant to be public after all.

Here's one of my public keys, for free: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIc3nOnSnsiAdkjAdH5WR9enQiPYWq1zAVsTDt60e91

[rgoulter]

As well as .keys, there's .gpg for GPG keys, and .png for the profile picture.