webhooks.fyi icon indicating copy to clipboard operation
webhooks.fyi copied to clipboard
verified publisher icon ngrok

"Asymmetric Key Encryption" conflates Signing and Encryption

Open stash opened this issue 3 years ago • 1 comments

Signing with asymmetric keys is distinct from encryption, but the article conflates them.

https://webhooks.fyi/security/asymmetric-key-encryption

"Asymmetric key encryption" is what you do to make contents secret, like in GPG where you're sending secret messages to some recipient you know holds a private key. With webhook messages the sender holds the private key, not the recipient (as the article correctly mentions), so it's not encryption; it's only signature generation & validation you're talking about. Using the word encryption to mean signing is confusing and non-standard.

Suggest replacing some terms to use the more industry standard terms, and to make the article most consistent, e.g., but not limited to:

  • Encryption --> Signing
  • Encrypt --> Sign
  • Decryption --> Validation
  • Decrypt --> Validate or Verify (depending on the context)

Thanks for the overall helpful guide!

stash avatar Aug 30 '22 22:08 stash

Great catch @stash! <3 I'll fix the nomenclature. Thanks for surfacing this.

sudobinbash avatar Aug 31 '22 16:08 sudobinbash

Hi @stash . Thanks for contributing to webhooks.fyi. I just fix all the conflating between signing and encrypting. Feel free to send me a PR if I didn't do justice to it (or if I missed anything big)

Thanks again for the contribution! <3333

sudobinbash avatar Sep 09 '22 15:09 sudobinbash