upvote

points

by ZiiS14 hours ago |
comments
upvoteby abustamam10 hours ago|
next
[-]
I can maybe understand unrestricted keys (OK, I can't, to be honest).

But the fact that permissions are not hardened at time of creation is bonkers to me.

reply
upvoteby ceejayoz13 hours ago|
prev|
[-]
Public keys are a thing in computing, though?

Google Maps has one, even. And Stripe.

reply
upvoteby abustamam10 hours ago|
parent|
next
[-]
It's been a while since I've used stripe but don't their keys start with sk_ for secret and pk_ for public?

I like that. Easy to tell if you should keep the key a secret or not.

reply
upvoteby ceejayoz10 hours ago|
parent|
[-]
They do, yeah.

(Although `pk` always freaks me out. Public or private?! Oh, right, the other one's "secret".)

reply
upvoteby ZiiS9 hours ago|
parent|
next
[-]
Or is `sk` shared key and `pk` private key...
reply
upvoteby johanyc1 hours ago|
parent|
prev|
[-]
Honestly we should just always call them public and secret key to avoid confusion
reply
upvoteby ZiiS9 hours ago|
parent|
prev|
[-]
I would like to restrict the term "Public keys" to refer to asymmetric encryption keys which can be made public without compromising security.

The only purpose of the keys Maps/Stripe encourage you to publicly put into your website is to guarantee it is talking to _your_ Google/Stripe account not someone else's. Obviously once you put them in your client they are of zero value in helping Google/Stripe identify you. The fact that Google allows you to use the same type of key they also use elsewhere to identify _you_ not _them_ was always incredibly bad design. Google already have the 'Project ID' which would have been the best thing to use.

reply