SSH signatures as an alternative to OpenPGP ones

[Mikaela]

Is your feature request related to a problem? Please describe.

The RFC currently only mentions OpenPGP keys as an option for signing, while it's also possible to sign artificial data with SSH keys. It has also became integrated with git, Gitea and GitHub and GitLab are either interested or working on supporting it. Thus I think SSH signatures are going to rise in popularity and should be considered by security.txt

Describe the solution you'd like

I would like security.txt to allow signing the file using SSH keys too.

Describe alternatives you've considered

• Staying with OpenPGP requiring administrators to keep multiple types of keys.
• Having a # comment in security.txt pointing to SSH signature.

Additional context

I think SSH signatures require detached signatures tying this issue with #206 and #214 mentions age by name, which again reuses SSH keys.

[nightwatchcyber]

We can take a look at this once the RFC is published which should have within the next 1-3 weeks.

Meanwhile, is there a standard or an IETF draft discussing SSH signatures?

[Mikaela]

Currently the most I can find is their own file

• https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig

[nightwatchcyber]

Another alternative is to define a new field that references a detached SSH signature, something like:
"SSH-Signed: security.txt.sshsig"