[olalonde]

> Key compromise happens, key loss happens, and identities change over time.

This problem is largely solved in cryptocurrency-land. You have a hardware device that does the signing, which is recoverable from a 24 word seed that is stored offline (plus a passphrase which can be memorized or stored online so that it's not catastrophic if someone gets to your seed).

I just found out that Ledger actually supports SSH/PGP: https://support.ledger.com/article/115005200649-zd

[Jean-Papoulos]

This is absolutely not solving the problem, it's at best kicking it down the road and doesn't solve the key getting compromised or identity changing.

[olalonde]

Can you be more specific about how it is absolutely not solving the problem?

To compromise a key you need to find a hidden piece of paper or engraved plate that your target has physically hidden somewhere. Plus guess a secret password (before your target has noticed you got to their seed and rang the alarm). Almost impossible to pull off.

I'm not sure what you mean about identity changing. If you mean a sex change or getting a new haircut, this is irrelevant to signing commits...

[captn3m0]

Any knowledge held by a person is retrievable with a $5 wrench. Things can get stolen, houses can burn down, bank lockers can be robbed.

Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.

[olalonde]

Fire issue is solved with multiple backups or titanium engraving. Theft is solved with secret passphrase that is either memorized or stored in a separate location. The $5 wrench attack (aka kidnapping and torture) is unsolved but it is extremely rare in comparison to the much more common key leaks/theft scenario. And I don't believe any defense is really possible against that one, cryptographically or otherwise.

> Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.

It doesn't solve that problem but I don't think "real life" identity is really relevant for the purpose of contributing code. In fact, plenty of open source contributors are pseudonymous.

[alfiedotwtf]

It’s kind of a solved problem too, Julian Assange even worked on a file system called Rubberhose - https://en.m.wikipedia.org/wiki/Deniable_encryption

[olalonde]

It's also a feature of crypto wallets like Ledger which allow you to have a decoy PIN that unlocks a throw away wallet.

[DaSHacka]

How is this any different from just using a Yubikey?

I fail to see how cryptocurrencies are in any way unique in this regard.

[olalonde]

I don't know, I've never used one. Can keys stored on a Yubikey be restored from a 24 word seed + passphrase? Do Yubikeys self-destroy after 3 incorrect PINs?

[DaSHacka]

No, but that's the whole point. One less avenue for exploitation. You would have to physically destroy the device, and find an exploit in the smartcard on the chip itself to obtain the private keys.

[olalonde]

Then it doesn't solve the "key loss happens" problem. You lose/break/damage your device and your keys are gone.

[DaSHacka]

You're supposed to register more than one key, and leave the other on standby.

A common practice is one Yubikey on your keyring, another left at home (optionally left in your Desktop or a computer that doesn't leave the house)