Hiya,
On 23/05/2022 12:39, Carsten Bormann wrote:
Using SSH keys as a text-based (diagnostic/debugging) encapsulation of keys and key pairs is probably innocuous.
Even that can be dangerous. I did some surveys of key re-use a few years back [1] and found cases for every combination of TLS key/protocol re-use (i.e. where the same key was used for both protocols using TLS). The only keys that weren't used for more than one protocol were SSH host keys. A student of mine partly reproduced that work this year and the same seems true still. So I'd say enabling use of SSH keys for non-SSH purposes can and would lead to dangers. Probably not the end of the world stuff, but still better to not cross the streams IMO. Cheers, S. [1] https://eprint.iacr.org/2018/299
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
