Hacker News new | ask | show | jobs
by fensipens 4032 days ago
blaming Github for doing crypto right

So github is doing crypto right by unnecessarily exposing data that is _only_ relevant to a) the user and b) his personal access to his repos?

By this logic, why not make crypto even better and add something like github.com/user.address, github.com/user.mail or github.com/user.phone?
1 comments
the8472 4032 days ago
your analogy is very flawed.

public keys are essentially opaque tokens that do nothing more than ensuring that a counterpart of a connection is whoever you think is associated with the public key. The key itself does not convey that information. It conveys no information at all beyond its cryptographic properties.

Turning a key into anything else (e.g. through re-use, publishing it elsewhere in association with other data) is not an intrinsic property of the key.

On the other hand personal data such as an address cannot be easily replaced like a key, immediately ties it to a person and does not provide any cryptographic properties at all.

TL;DR: pubkey is not private data, user.address is not crypto

link
uxcn 4032 days ago
The analogy isn't flawed, it's a question of the benefit for the person who's key/info it is, in this case github users. We generally don't have anything to gain from our keys being made public (address, phone number, etc...). It's also a generally accepted faux pas to share someone else's public key for them. Quoted from another comment[1] (quoted from email for the practical paranoid)...

You can send someone else’s public key to an old-style keyserver. Although you might think this would be a favor, it’s actually extremely rude. The public key owner might have reasons for not using a keyserver and might prefer to distribute his public key via some other method—or he might not want to publicize the key at all beyond a small group of people.

Never publicize someone else’s key for them!

Admittedly, it's a risk we should be aware of. But regardless of whether it's rude or not, it doesn't seem to be what people expect. What's worse though is that whether it's malicious or not; user trust is practically impossible to get back after it's gone.

[1] https://news.ycombinator.com/item?id=9648351

link