iTranslated by AI
Digitally Signing Git Commits and Tags with Krypton
I had heard that there were products that allow you to use a smartphone instead of a cryptographic device like YubiKey to achieve FIDO U2F (Universal 2nd Factor), but it seems they can also handle SSH authentication and OpenPGP digital signatures for git commit/tag. Plus, it's written in Go and supports multiple platforms.
For specific usage, please refer to the article above, but I don't quite understand the mechanism. Is the following sequence diagram mostly correct? I'm wondering about the relationship between krssh and ssh. Does krssh proxy everything?
Proceeding on the assumption that this is correct, the key point seems to be that the smartphone is not just a key store, but also functions as a signing application.
OpenPGP digital signatures during Git commit/tag seem to follow a similar pattern, probably.
krgpg seems to be a complete replacement for gpg (GnuPG) as far as digital signatures are concerned.
The advantage of Krypton is that private key management is entirely self-contained within the smartphone, and users can remain almost completely hands-off regarding the keys. I think one of the reasons cryptographic products are often avoided is the complexity of key management, but Krypton eliminates that hassle as much as possible.
However, regarding OpenPGP, while proper usage would normally require some way to certify the keys, those features are omitted. Furthermore, it seems that users have no control over key expiration or revocation.
I wondered how keys are migrated when switching smartphones, but apparently, you just discard them with the phone (lol). In other words, when you buy a new phone, you have to start fresh with new keys and re-register them on your SSH servers and so on (though SSH server info can be migrated, and it seems to use that to help automate the re-registration process).
For those who aren't particularly concerned about the strict management of PKI and feel like "Never mind the details!!", Krypton is both convenient and arguably secure from a security perspective (it's far better than caching decrypted private keys in an ssh-agent). On the other hand, for those who already maintain a strict operation using something like a YubiKey, the benefits of switching to Krypton might feel a bit lacking. It might not be quite right for environments like Kernel.org.
Well, let's go with the right tool for the right job. It's all about using your tools wisely.
References
Discussion