Why I think you shouldn't digitally sign things casually

April 5, 2024

Over on the Fediverse, I said:

My standard attitude on digital signatures for anything, Git commits included, is that you should not sign anything unless you understand what you're committing to when you do so. This usually includes "what people expect from you when you sign things". Signing things creates social and/or legal liability. Do not blindly assume that liability without thought, especially if people want you to.

In re: (a Fediverse post encouraging signing Git commits)

If people are asking you to sign something, they are attributing a different meaning to an unsigned thing from you than to a signed thing from you. Before you go along with this and sign, you want to understand what that difference in meaning is and whether you're prepared to actually deliver that difference in practice. Are people assuming that you have your signing key in a hardware token that you keep careful custody of? Are people assuming you take some sort of active responsibility for commits you digitally sign? What is going to happen (even just socially) if your signing key is compromised?

For a very long time, I've felt that people's likely expectations of the security of my potential digital signatures did not match up with the actual security I was prepared to provide (for example, my old entry on why I don't have a GPG key). Nothing in the modern world of security has changed my views, especially as I've become more aware of my personal limits on how much I care about security. And while it's true that a certain amount of modern security practices make things not what they're labeled, the actual reality doesn't necessarily change people's expectations.

If you understand what people are really asking you for and expecting, and you feel that you can live up to that, then sure, sign away. Or if you feel that actual problems are unlikely enough and the social benefits of signing are high enough. But don't do it blindly.

(And if you have no choice about it because some organization is insisting that you sign things if you want to publish software packages, push changes, or whatever, then you mostly have no choice. Either you can sign or you can drop out. Just remember that sometimes dropping out is the right (or the only) answer.)

PS: There is also a tangle of issues around non-repudiation that I'm not going to try to get into.

Written on 05 April 2024.
« GNU Emacs and the case of special space characters
Solving the hairpin NAT problem with policy based routing and plain NAT »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Apr 5 00:11:43 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.