How does this mechanism prevent breaking one of the commandments of encryption systems:
Thou shalt not sign arbitrary plaintext
… if, as you say, a service first gives you something to sign with your private key ?
What kind of “phishing” would it be if Mallory convinced Alice to create a new account on some new service for the purpose of leaking private key bits?
A new private key is generates for each site, and only that site has the corresponding public key, and the domain name is checked, so malicious.com can't leak the private key for example.com.
As far as I can tell signing arbitrary plaintext is a core mechanism in how public key auth works.
The theory is you have to sign something to prove your identity. this thing you sign has to be provided by the authenticating body and should only ever be used once to prevent replay attacks. that is you never want a situation where someone can give you a copy of the signed message and login.
For example, and the only one I have actually read the standard, during auth ssh signs a number of fields, the critical one being the session id. the session id is provided by the server and is only used once, thus satisfying this critical part of public key auth.
Thou shalt not sign arbitrary plaintext
… if, as you say, a service first gives you something to sign with your private key ?
What kind of “phishing” would it be if Mallory convinced Alice to create a new account on some new service for the purpose of leaking private key bits?