Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
pestaa 7 hours ago

Is there a risk with not using different keys for work and personal?

The private bits are all in the same place: if one is compromised, so are the rest.

tonyedgecombe 5 hours ago | parent | next [-]

There is also a risk using the same machine for work and personal. I’d address that first.

heywire 2 hours ago | parent [-]

Right? I can’t believe how many people seemingly use the same machine for both.

dolmen 7 hours ago | parent | prev | next [-]

About signing keys, it would make sense stopping using a signing key (marking it as such and deleting it) once you stop a job.

Your signing key for personal projects probably has a different temporality.

notpushkin 5 hours ago | parent [-]

> About signing keys, it would make sense stopping using a signing key (marking it as such and deleting it) once you stop a job.

What does this achieve exactly?

necovek 2 hours ago | parent [-]

Nobody can steal it and sign it with your key for a commit to appear as if it was signed by a regular committer to a work project that would pass the verification if there is any on the repo or CI/CD side (if that's not restricting keys by the time period). The scenario is certainly a bit far-fetched and contorted, but it is possible.

x3n0ph3n3 7 hours ago | parent | prev | next [-]

Your key cannot be tied to more than one identity, and if you use GitHub Enterprise, your work identity may be restricted from contributing to repos outside of the Enterprise. This is to prevent cloning private code into public spaces. For this reason, you need to have separate keys.

pestaa 7 hours ago | parent [-]

Interesting!

Curious though that the compliance rules are strict enough it warrants distinct keypairs, but not that strict for the devs to use dedicated hardware.

dns_snek 7 hours ago | parent | prev [-]

If both of your keys are on the same computer they would most likely be compromised simultaneously, or not at all.

However if you're worried about this then you should probably be using a hardware token anyway - something that supports SSH authentication via FIDO2, GPG, or smart card interface.