Wrote up a quick thing about using Keyoxide and thought to share it here since I haven’t posted in awhile. lol

  • SanctimoniousApe@lemmings.world
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    I’m not really up on this field, so I’ve never heard of Keyoxide. Did a quick scan of your article, and a couple things popped into my head.

    1. How old is this article? It references Twitter without so much as a wink to the rename.

    2. I was under the impression PGP keys were no longer considered good security because the keys are static - i.e. they never change, which is why authenticator apps that change codes every minute have been all the rage for many years now.

    • tal@lemmy.today
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      never change

      Nah, that’s not a problem.

      So, if you send a password at some point, someone could theoretically intercept and get the password, and then impersonate you.

      PGP keys are public-private. The key never leaves your possession. Instead, the other side asks you to cryptographically sign something using your private key, which they can validate using your public key.

      You never expose your private key to any intermediary, and even the other side doesn’t have it.

      TOTPs have a shared secret, and generate a temporary passphrase using both time and the secret. Those also protect (mostly) against interception, since the OTP becomes invalid within probably seconds. Just as with PGP keys, the secret does not change. However, unlike PGP, the other side does also have all the information required to authenticate as you.