antoniomika 5 days ago

Our host keys are published here and are durable: https://pico.sh/host-keys

Reply View 7 replies
  • raggi 5 days ago

    So approximately nothing?

    Reply View 6 replies
    • junon 5 days ago

      Perhaps giving a bit more information than throwing out random acronyms related to SSH would be a bit more fruitful in terms of responses.

      What about TOFU and MITM would you like them to respond to? TOFU isn't inherently a bad thing. Neither is MITM. It depends on the threat model, the actors involved, etc.

      Your comment (and the snarky followup) imply they're doing something wrong, but it's unclear what.

      Reply View 0 replies
    • kpcyrd 5 days ago

      There is nothing that can be done beyond what they are doing?

      You can receive their public keys out-of-band through an https-authenticated connection. Which means their approach to "the initial trust problem" is _not_ "trust on first use".

      Reply View 4 replies
      • squiggleblaz 5 days ago

        I don't know what other solutions there are to TOFU, but maybe it's nice if there's something like a standardised /.well-known/ssh-keys.json path for public ssh servers like github and pico.sh.

        Reply View 3 replies