1

I have been contemplating how I should publish my PGP public key online recently. Being able to meet with someone physically is great, but that after all is a rare priviledge.

Key-servers are a convenient media, but they lack essential means to authenticate and identify the uploaders. The way I understand key-servers is that if someone already has a small group of people to trust, then key-servers could be reliably useful because one can see if the uploaded keys are signed by the people one trusts.

But as a newbie in practicing security in my daily life, I don't have a web of trust yet. I also don't suppose most people whom I want to communicate securely with in the near future will do. Thus, I turn to consider the other popular way that I know: publishing the public key on one's personal website. I like this way, because, as I understand it, so long as one can trust the browsers and the certification authorities, one can be relatively sure of the key's being genuine. Besides, a personal website is a good identification of the publisher.

Well, I don't have a personal website yet, but I suppose I will need to have one sooner or later, as I plan to enter the academia. Unfortunately, I also don't have the resources to host a server, so I plan to rely on some commercial platform for now, like GitHub Pages. Then, an idea occurred to me that how about publishing my key in a GitHub repo?

It seems to be a good idea after some contemplation:

  1. The ways one can access a GitHub repo (that I know of) are HTTPS and SSH, both are secure. I also can't think of an easy way how an attacker can easily modify the content of one's repo, without permissions.
  2. If one's GitHub account is famous, then it can also be a fairly good identification of oneself.
  3. Git can track the history of the updates to the key.
  4. If I use a good way to authenticate my GitHub account, like enabling 2FA with a TOTP authenticator, then it should be relatively safe from theft.

I haven't heard of anyone doing this before. Also, I just did a repo search on GitHub using pgp key and gpg key. I scrolled a few pages of the search results and could only find three repos that are used to publish keys. It seems that this is very unpopular.

Therefore, I worry that there are critical drawbacks of this approach that I haven't been able to observe. And thus, I ask this question.

Improve this question
1
  • 1
    Keybase used to do this, before they got acquihired by Zoom. Keybase was a service that made it possible to link your accounts on various services and cryptographic keys, making it possible to encrypt messages if you only knew their username. Commented May 22 at 7:42

2 Answers 2

Reset to default
3

People publish their OpenPGP keys in all kinds of places: their personal homepage, social media, keyservers or sites like keybase.io. If you want to use GitHub, that's fine. However, I'd probably put the fingerprint (which uniquely identifies the key) in the profile together with a GitHub-verified e-mail address that matches a user ID of the key. The profile is a lot easier to find than a key stored in some repository, and visitors can immediately see that you're likely the owner of both the e-mail address and the key. As you've already verified the fingerprint, you can upload the key itself to any keyserver.

You could also just put the key into a git repository, but this will make lookups fairly awkward. To get your key, I'd have to (1) find your GitHub profile, (2) verify it's actually yours, (3) somehow figure out that the key is in one of your repositories, (4) find this repository and (5) download the key. I doubt that many people are willing to go through this trouble, which might explain why the practice isn't very popular.

There are much better options which still provide reasonable security. For example, keyservers like keys.openpgp.org give you two choices: You can either use the keyserver purely for key distribution, i.e., the server doesn't perform any identity checks and just stores your uploaded key. Or you let the keyserver additionally verify and publish your identity (through your e-mail address). In the latter case, anybody who wants to send you an encrypted e-mail can look up the corresponding key on keys.openpgp.org and be fairly sure this is in fact yours. The already mentioned keybase.io is another option.

Improve this answer
2
  • +1. A question: could something tricky be done with email address verification? I don't know if one can do something to redirect the mail intended for one address to another, but what about using undistinguishable Unicode characters (since email address supported UTF-8 encoded Unicode in 2012)? Commented May 23 at 19:46
  • 1
    @GuanyumingHe: The e-mail verification is fully automated, so it's not possible for an attacker to trick the keyserver. What might be possible is a homoglyph against a user if they don't properly check the e-mail address before importing a key. But one could argue this is a user error, not an issue with the keyserver. Commented May 23 at 21:02
0

One key thing to remember is that Git history can be rewritten, and as such is a questionable thing to rely on. If you already have a local clone of the repo then you can detect that - but if you just browse to a GitHub repo for the first time then you have no way of telling if the commit history it shows is true.

Another thing to consider is what you're using the PGP key for. If you're using it to digitally sign the software that you're releasing, then publishing your public key (for verification purposes) on the same GitHub account that you release the signed software isn't ideal, because if an attacker compromises your GitHub account they can modify both things.

Improve this answer
1
  • I am aware of that, as we know there's no magic in Git that keeps it from happening. But here one's trust isn't placed on Git, but on the owner of the repo on GitHub, who is identified by the GitHub account. I mainly was talking about key used for communication. You could see my previous post to see how I got here. Commented May 22 at 18:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.