9 comments

[ 1.9 ms ] story [ 33.9 ms ] thread
Isn't being public the point of public keys?
A problem arises if users start to use github as a defacto trusted source for public keys. Githubs security standards are very high, but they have a large potential attack surface due to all of the functionality they support.
So what? Is somebody going to factorize my public key?

This is only an issue if 1) Users are relying on github as a trusted source of public keys, and 2) malicious users can modify the public keys.

It doesn't even have key names. Boring. (But useful -- I can provision accounts on servers I run with "oh I set up .ssh/authorized_keys with your Github keys"; thanks!)
In other news: HN is revealing the user names of its users! Film at 11!
Can someone help me understand why it is a problem if my public key is, uh, public?
Worst case scenario is that someone lets me access their server. Unless RSA is busted, right?