Chris! (OP)
Legendary
 Offline
Activity: 1382
Merit: 1122
|
 |
January 02, 2016, 05:19:57 PM |
|
I've been searching around for a guide or tutorial, which don't get me wrong I've found some that are very in depth. I'm just trying to figure out the basics.
What is a PGP signed message?
Why are they important?
I see people on the forum asking people to show them or create one all the time.
From what I understand it adds some level of security...?
Is it showing that you own an old address that you've used before in the forum or is it showing that your wallet is secured so it's safe for you to escrow funds or something like that?
As a new user of Bitcoins would you recommend I get a PGP signed message?
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
Duomo
|
|
January 02, 2016, 05:33:48 PM |
|
Okay so basically PGP (Pretty Good Privacy) is a form of encryption used to communicate between two individuals. PGP is owned by Symantec so you will hear the term PGP/GPG used interchangeable, they are basically the same thing. What is a PGP Signed Message? - It is a signature basically. It is a form of digital data that accompanies a message. Think of it like your own written signature. Your own handwritten signature is unique and basically identifies you. Why are they important? -It validates that the individual who sent you message is who they say they are. -It can be used to verify the authenticity of the message and to make sure it was not "tampered" with. Mac OS http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever/ Windows https://ssd.eff.org/en/module/how-use-pgp-windowsLet me know if you would like any other tutorial for other operating systems. Yes, I recommend getting a PGP/GPG signature. They are free, simple, and very easy to use to communicate encrypted messages between two users. |
|
|
|
|
|
AtheistAKASaneBrain
|
|
January 02, 2016, 05:36:54 PM |
|
As a new user of Bitcoin, you don't really need a PGP signature, unless you really need to prove your unique identity in a anonymous way, for example, for some sort of trade between 2 parties (and always use a escrow for this). Other than that, it's not really needed. You'll know when you need it once you understand what it does.
|
|
|
|
|
franky1
Legendary
Offline
Activity: 4214
Merit: 4473
|
|
January 02, 2016, 05:41:30 PM |
|
bitcoin has something similar to PGP
in bitcoin you can sign a message using your
1Chris4GEoLLjdh4juFXGwY7snaazuxvKb
address..
that way people will know its actually you sending a message as they know you hold hold the privatekey to that bitcoin address..
so if ever your email or bitcointalk login got hacked and someone pretended to be you.. because they dont have the private key to your bitcoin address, they cannot sign a message from that address. and thus cant prove they are the real you.
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
Chris! (OP)
Legendary
Offline
Activity: 1382
Merit: 1122
|
|
January 02, 2016, 05:57:37 PM |
|
Aha thanks guys I'm starting to understand it more.
I thought you had to go to a certain website or something.
-----BEGIN BITCOIN SIGNED MESSAGE-----
This is Chris! from Bitcointalk.org Today is January 2nd 2016. Happy new year!
-----BEGIN BITCOIN SIGNATURE-----
Version: Bitcoin-qt (1.0)
Address: 12aemfTErZB4eZ7LCaTTBPHWq1eqAAgFCe
H2kt5DnxYdZxG45zJtlB0v8JOBy4Fxn/1vKU3OBlU6wAMa+tQm7VlRFdNW70UhFl3AnJn0xzX4ptHBmBkGYIHbw=
-----END BITCOIN SIGNATURE-----
I guess I couldn't sign my 1Chris4GEoLLjdh4juFXGwY7snaazuxvKb address because I never input the private key into mycelium. I just created it on a Ubuntu live USB.
|
|
|
|
|
franky1
Legendary
Offline
Activity: 4214
Merit: 4473
|
|
January 02, 2016, 06:10:38 PM |
|
Aha thanks guys I'm starting to understand it more.
I thought you had to go to a certain website or something.
-----BEGIN BITCOIN SIGNED MESSAGE-----
This is Chris! from Bitcointalk.org Today is January 2nd 2016. Happy new year!
-----BEGIN BITCOIN SIGNATURE-----
Version: Bitcoin-qt (1.0)
Address: 12aemfTErZB4eZ7LCaTTBPHWq1eqAAgFCe
H2kt5DnxYdZxG45zJtlB0v8JOBy4Fxn/1vKU3OBlU6wAMa+tQm7VlRFdNW70UhFl3AnJn0xzX4ptHBmBkGYIHbw=
-----END BITCOIN SIGNATURE-----
I guess I couldn't sign my 1Chris4GEoLLjdh4juFXGwY7snaazuxvKb address because I never input the private key into mycelium. I just created it on a Ubuntu live USB.
verified  |
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
|
Trouble821
|
|
January 02, 2016, 06:49:25 PM |
|
Satoshi, the person who invented Bitcoin, is anonymous and hasn't posted on this forum for years. If he ever posts here again the only way he could prove he is the real Satoshi is by signing a message with his PGP key, or signing a message using a private key from one of his known Bitcoin addresses.
He posted his PGP public key here that we can use to verify a message has been signed by his private key.
|
|
|
|
|
|
bitbaby
|
|
January 03, 2016, 04:59:00 AM |
|
As a new user of Bitcoin, you don't really need a PGP signature, unless you really need to prove your unique identity in a anonymous way, for example, for some sort of trade between 2 parties (and always use a escrow for this). Other than that, it's not really needed. You'll know when you need it once you understand what it does.
In the event a user sells his private pgp key, what will you do then? How will you differentiate between real person and the impersonator. Digital identity is just not reliable, if you're dealing with a person on-line, either know him in person before hand or have info of their whereabouts. Actually it has other needs, if you want to send a message to someone in particular and you don't want others to see that then you encrypt the message with that person's public key and only the person knowing the private key will be able to decrypt the message. |
|
|
|
franky1
Legendary
Offline
Activity: 4214
Merit: 4473
|
|
January 03, 2016, 05:09:28 AM |
|
In the event a user sells his private pgp key, what will you do then? How will you differentiate between real person and the impersonator. Digital identity is just not reliable, if you're dealing with a person on-line, either know him in person before hand or have info of their whereabouts.
thats why i prefer to use bitcoin addresses.. because the address is funded i would be less willing to sell my private key to anyone. for instance if its an address i use to receive funds from multiple locations ongoing, i wont want a new person getting them newly acquired funds.. where as PGP keys have no real collateral backing it, and can be sold dirt cheap. without worry of losing anything in the future so bitcoin message signing has more benefits than PGP |
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
Blazed
Casascius Addict
Legendary
Offline
Activity: 2128
Merit: 1119
|
|
January 03, 2016, 08:00:51 PM |
|
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.
|
|
|
|
|
|
Duomo
|
|
January 03, 2016, 08:03:20 PM |
|
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.
This is the one fault with PGP/GPG. It is more focused on encryption on the message rather than verification of the individual sending the message. You need to have a conscience to understand that maybe the individual who you assume to be speaking and communicating with isn't actually the true individual. PGP/GPG = Encryption > Verification of identity. |
|
|
|
|
|
saturn643
|
|
January 03, 2016, 08:20:39 PM |
|
Part of PGP is also building a Web of Trust. If you trust someone, you can sign their PGP key thus indicating to everyone (if the signature is posted publicly e.g. on a keyserver) that you trust this person. Generally people only sign PGP keys of people that they have actually met in person and verified their identity. The Web of Trust comes into play when you meet someone you don't know but see that someone you trust also trusts that person. Then you could assume that person is also trustworthy. It kind of works like the trust system here works (not DefaultTrust but rather your own trust list and trusting people that are trusted by people you trust).
You can also use PGP to encrypt things for secure messaging. This is actually what it was intended to do and the encryption that PGP uses now has not been broken yet.
|
|
|
|
|
Chris! (OP)
Legendary
Offline
Activity: 1382
Merit: 1122
|
|
January 03, 2016, 08:36:08 PM |
|
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.
How do you use it to communicate with people? Is there some sort of messenger or do you mean you send it with a Bitcoin address? If I sign a message from a bitcoin address it's not encrypted I'm assuming (since people can go verify it on a website such as coinig). |
|
|
|
|
|
saturn643
|
|
January 03, 2016, 08:39:04 PM |
|
I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.
How do you use it to communicate with people? Is there some sort of messenger or do you mean you send it with a Bitcoin address? If I sign a message from a bitcoin address it's not encrypted I'm assuming (since people can go verify it on a website such as coinig). PGP can be used to encrypt messages. So you can encrypt the text of your message using PGP and then send that text through whatever way you like to another person who can decrypt that message again using PGP. You can also sign messages using PGP to verify that you actually sent that message. A PGP message can be encrypted, decrypted, signed, and verified using a client like GPG. |
|
|
|
|
DimensionZ
Sr. Member
Offline
Activity: 350
Merit: 250
Shit, did I leave the stove on?
|
|
January 04, 2016, 06:11:17 AM |
|
Are there any mobile solutions for encrypting and decrypting PGP messages or you need to open browsers and pasting the strings in them? I was looking into that Telegram app the other day. Has anyone used it?
|
|
|
|
|
bitbaby
|
|
January 05, 2016, 05:57:32 AM |
|
In the event a user sells his private pgp key, what will you do then? How will you differentiate between real person and the impersonator. Digital identity is just not reliable, if you're dealing with a person on-line, either know him in person before hand or have info of their whereabouts.
thats why i prefer to use bitcoin addresses.. because the address is funded i would be less willing to sell my private key to anyone. for instance if its an address i use to receive funds from multiple locations ongoing, i wont want a new person getting them newly acquired funds.. where as PGP keys have no real collateral backing it, and can be sold dirt cheap. without worry of losing anything in the future so bitcoin message signing has more benefits than PGP Yes but the way things has turned out on this forum this past week I won't be surprised if people sell their "not to be used anymore" private keys as well when they're selling their account, it'll just add more value to it. I only use PGP as a safe way of communication not really as a verification method. Bitcoin keys and PGP keys can be sold off with accounts making them unreliable as a verfication.
How do you use it to communicate with people? Is there some sort of messenger or do you mean you send it with a Bitcoin address? If I sign a message from a bitcoin address it's not encrypted I'm assuming (since people can go verify it on a website such as coinig). When you create a PGP, you get 2 keys, one is public, the other is private. The private one you keep to yourself and don't share with anyone, the public one you let others know by uploading it to pgp servers. And the way it is used in messages is if you want to send a message to someone which you want no one else to see then you encrypt the message with that person's public key and only they can read it by decrypting the message with their private key and password. Its not a messenger, its just a good way of encrypting the messages. |
|
|
|
|
owm123
|
|
January 05, 2016, 06:04:04 AM |
|
bitcoin has something similar to PGP
in bitcoin you can sign a message using your
1Chris4GEoLLjdh4juFXGwY7snaazuxvKb
address..
that way people will know its actually you sending a message as they know you hold hold the privatekey to that bitcoin address..
so if ever your email or bitcointalk login got hacked and someone pretended to be you.. because they dont have the private key to your bitcoin address, they cannot sign a message from that address. and thus cant prove they are the real you.
Bitcoin address is a public key. Signing is done using your private. |
|
|
|
OROBTC
Legendary
Offline
Activity: 2912
Merit: 1852
|
|
January 05, 2016, 06:29:33 AM |
|
...
Good thread guys, thanks for starting this conversation re signing w/ GPG.
I am a beginner as a couple of you above know. I am still sending out test messages to encrypt and decrypt them. "Practice makes perfect."
I don't foresee, in my case, the need for signatures w/ PGP/GPG now. Later perhaps.
* * *
I did have to sign a message proving I owned a BTC address when resolving a mistake I made sending BTC to bitmixer.io (my mistake, I sent it to an older address of theirs). After some back & forth they refunded my BTC. This was a year or so ago. The signature process w/ the BTC address was reasonably simple.
HTH...
|
|
|
|
|
nydiacaskey01
Legendary
Offline
Activity: 1834
Merit: 1036
|
|
January 05, 2016, 06:36:50 AM |
|
When you create a PGP, you get 2 keys, one is public, the other is private. The private one you keep to yourself and don't share with anyone, the public one you let others know by uploading it to pgp servers.
And the way it is used in messages is if you want to send a message to someone which you want no one else to see then you encrypt the message with that person's public key and only they can read it by decrypting the message with their private key and password. Its not a messenger, its just a good way of encrypting the messages.
Isn't it that aside from Public key and Private Key there's also this pass phrase that needs to be secured? Is it possible to sign and verify a PGP message without those pass phrase? |
|
|
|
|
|
bitbaby
|
|
January 05, 2016, 06:47:04 AM |
|
When you create a PGP, you get 2 keys, one is public, the other is private. The private one you keep to yourself and don't share with anyone, the public one you let others know by uploading it to pgp servers.
And the way it is used in messages is if you want to send a message to someone which you want no one else to see then you encrypt the message with that person's public key and only they can read it by decrypting the message with their private key and password. Its not a messenger, its just a good way of encrypting the messages.
Isn't it that aside from Public key and Private Key there's also this pass phrase that needs to be secured? Is it possible to sign and verify a PGP message without those pass phrase? When you make a new keypair you'll be asked to make a password and you'll be required to enter that password whenever you sign/decrypt anything. Its another safety measure should your private key get in hand of someone else, so make it strong and long and make sure to remember it or write it down somewhere. You only need a pgp software to verify the message someone signed, don't need private key or password for that. |
|
|
|
|
