mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
Why? It's one time thing, isn'it? Couldn't a human make the verification? so say you're running some site like... maybe coinpal , and you want to allow people to prove to you that they own an ebay account with X feedback. would you prefer to (a) do this automagically with some gpg verification code, or (b) hire a verifymonkey to do it manually? or, say you're on #bitcoin-otc and someone fairly new is offering a trade, and claims that he has a good ebay or amazon rating. would you rather go to their claimed ebay profile, and manually copy the string and verify gpg key, or run "getebaytrust <nick>" (or getamazontrust <nick>) and have automatic verification done for you? hope you get the idea. EDIT: heh, mndrix has stated the issue much more concisely, and with less snark, to boot.
|
|
|
is there any benefit to going uri-style?
Not much, it's just shorter. Doesn't really matter anyway. I think one could just put nothing in front of the base-64, since this data is not supposed to be automatically parsed anyway. mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
|
|
|
Instead of "gpg_identity=", what about some URI style format such as "GPG:"? is there any benefit to going uri-style?
|
|
|
Mndrix and I (and a couple other discussants) have developed an exportable GPG identity protocol. http://wiki.bitcoin-otc.com/wiki/GPG_Identity_ProtocolQuick summary: "This page outlines the protocol for exporting your GPG identity to other sites which may or may not support GPG authentication directly. The basic idea is that you can post a GPG-signed message to some area of your user account on the site, connecting your site id with your key via the signature, and then others can verify your signature and be certain that you are the same person on multiple sites. Please check it out - your feedback (please post in this thread) would be appreciated. In the future, I will be putting in the code on #bitcoin-otc to automagically query people's identities and ratings in various communities based on their OTC GPG auth, mndrix may implement it for coinpal, and hopefully other sites in the bitcoin community can join in so that we can create a broader web of trust.
|
|
|
How would this be preferred versus simply sending an ACH or wire payment to MtGox?
wires are more expensive. ach - if you can do it, probably just as good.
|
|
|
Well, it's not easy, since you must avoid quotes and anything that look like HTML, but I've managed to put "I am grondilu on eBay" in my contact information section on http://myworld.ebay.com/grondilu. Carriage returns are skipped, too. PS. I've filtered GnuPG's output through xxd -p. I think it's enough. yep, that works. unfortunate that they mangle input. also, i notice that it is possible to create custom categories in the bio - so maybe that can go under 'pgp key' category
|
|
|
eBay users can post arbitrary text content on their eBay My World pages: http://myworld.ebay.com/$username A PGP key ID or fingerprint could be posted there. I believe those pages are world-readable. yes, i confirm that the myworld pages are in fact world-readable. mndrix: your comments on my 'standardization' proposal would be appreciated.
|
|
|
actually, posting either just the key or just the id is not enough to verify anything, since i can post /anyone's/ key. what you need to do is post a clearsigned message saying "i, user <username> on ebay, hereby declare my ownership of <keyid>, as of <date>", signed with said key. that'll prove to any onlooker, without having to do any additional steps like sending you encrypted email or whatnot, that you indeed own the key. (date is included just in case ebay drops usernames, and someone else comes in to use it - the new guy's 'registered at' date would then be later than your posted date.) now... question is where can one post a persistent bit of text (even a pastebin url) on your ebay account... as it happens, there's a great place for that - your 'bio' on your 'my world' page ( http://myworld.ebay.com/<your_ebay_username> ). we could even fix up some kind of standard, where a signed message containing your ebay nick, keyid, and a datestamp can be fetched by other places (e.g., the OTC bot ), and once verified with your authed GPG key id, spits out your feedback summary. the wonders of GPG! comments appreciated.
|
|
|
I plan to support pgp keys eventually for those who want it. I think that's the most resilient way to share trust. Until then, I think an attacker stealing a CoinPal user's PayPal account is unlikely enough that the transaction history with the PayPal address should be helpful in many cases.
indeed, that is not a very likely scenario. while stolen pp accounts are numerous, the intersection of (stolen pp accounts) & (coinpal users) & (thief aware of coinpal and bitcoin and using the coinpal tx history info to steal btc) seems quite small The prototype is available. You can share your CoinPal transaction history by filling out the form and sharing the URL of the page you end up on. Anyone with this URL can view your PayPal email address and your entire CoinPal transaction history (now and in the future). There's currently no PGP integration. You can't include an optional message yet either. Here's a sample transaction history for my PayPal test account. very cool. now if only you add a couple of form fields for pgpkey, and signed verification message, and then a query url by keyid with json output... i could get it working on the OTC channel.
|
|
|
Bitcoin get transferred out of mybitcoin anyway. You can look at the block explorer history and see for yourself.
You guys are silly beyond belief.
you seem to misunderstand how these shared wallets work. maybe that is beyond belief?
|
|
|
SHA-256 Hashes of the paypal e-mail addresses would be able to keep them private. Also, what bitcoin-otc is doing with the portable account via GPG verification is very useful.
I think you jumped over a good one here. You could make an API available based on paypal address. Sha-256 hash their paypal email plus say "somesupersecretextrakeyhere". They pass the hash to you, you look up what you have stored for that user, and return their rating to them. Wouldn't require any keys or anything, just a simple hash. You may even be able to return the info that you use for quantity allowances. If they have traded x times, or over x period of time, it may be useful in different metrics or situations. but how is that useful for /others/ who want to verify what Bob's rating is? doesn't that mean that bob has to reveal his supersecretkey in order to allow others to query and verify his account?
|
|
|
just a note that the trading history of "john doe" would be pretty useless without any ways to verify that the guy you're talking to is the same guy. if trade history doesn't include paypal email - /anyone/ can claim any trade history. if history does include paypal email, then someone who gained access to that paypal account can claim it, and then the real owner will charge back. (and we all know how many stolen paypal accounts there are floating about) if history includes something like gpg key - it becomes a lot more trustworthy. pgp keys can of course also be compromised, but stolen pgp keys are much less likely than stolen paypal passwords, since these tend not to be targeted by the run of the mill trojans out there. (yet) so in summary: definitely a good idea to allow people to verify a gpg key to include on that page. another possibility: hash of phone number? finally: yes working with daniel on the ripple bits. stay tuned.
|
|
|
consider joining #bitcoin-otc too. the order book is pretty deep, and it's always easy to find someone to trade, if the price is right.
|
|
|
have you considered the following: dwolla, bank ach, check by mail?
|
|
|
I think, if you can so easy and fast give up with 3000 USD, then it's really some serious situation with it. Innocent man wouldn't give up with any sum, because he can prove it's case.
yea, i think that particular bit is quite telling. e.g., if i were merely the recipient of stolen btc, rather than the actual thief, i'd be like "hey, i paid for these fair and square, i don't owe you anything"
|
|
|
Don't forget to leave .01 BTC for the transaction cost. For example, if your MtGox account has 15 BTC in it, you can only send 14.99, because .01 BTC is required for the transaction.
usually no fees are required. see this page for current fee schedule: https://en.bitcoin.it/wiki/Transaction_fees
|
|
|
i've used ripple to keep track of loan interest. works great.
|
|
|
|