phathash (OP)
Member
Offline
Activity: 75
Merit: 10
|
|
March 14, 2011, 09:38:47 PM |
|
Can this be done without breaking eBay's TOS? Some of us have 10 year old eBay accounts will hundreds in positive feedback.
Post a GPG public key in an auction body?
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
March 14, 2011, 09:56:24 PM Last edit: March 14, 2011, 10:14:19 PM by grondilu |
|
Not an entire public key, but the GnuPG fingerprint would be fine I guess. You can also qrencode it and show the image in your profile. PS. This actually gave me the idea and I've just done exactly this for my avator on this forum PS#2: you can also stenography your public key inside the photos of the items you're selling, although I suspect eBay is altering the pictures. PS#3. Nah I changed my mind and removed the qrcode 'caus it's ugly.
|
|
|
|
mndrix
Michael Hendricks
VIP
Sr. Member
Offline
Activity: 447
Merit: 258
|
|
March 14, 2011, 10:29:49 PM |
|
eBay users can post arbitrary text content on their eBay My World pages: http://myworld.ebay.com/$username A PGP key ID or fingerprint could be posted there. I believe those pages are world-readable.
|
|
|
|
nanotube
|
|
March 14, 2011, 10:39:30 PM |
|
actually, posting either just the key or just the id is not enough to verify anything, since i can post /anyone's/ key. what you need to do is post a clearsigned message saying "i, user <username> on ebay, hereby declare my ownership of <keyid>, as of <date>", signed with said key. that'll prove to any onlooker, without having to do any additional steps like sending you encrypted email or whatnot, that you indeed own the key. (date is included just in case ebay drops usernames, and someone else comes in to use it - the new guy's 'registered at' date would then be later than your posted date.) now... question is where can one post a persistent bit of text (even a pastebin url) on your ebay account... as it happens, there's a great place for that - your 'bio' on your 'my world' page ( http://myworld.ebay.com/<your_ebay_username> ). we could even fix up some kind of standard, where a signed message containing your ebay nick, keyid, and a datestamp can be fetched by other places (e.g., the OTC bot ), and once verified with your authed GPG key id, spits out your feedback summary. the wonders of GPG! comments appreciated.
|
|
|
|
nanotube
|
|
March 14, 2011, 10:40:59 PM |
|
eBay users can post arbitrary text content on their eBay My World pages: http://myworld.ebay.com/$username A PGP key ID or fingerprint could be posted there. I believe those pages are world-readable. yes, i confirm that the myworld pages are in fact world-readable. mndrix: your comments on my 'standardization' proposal would be appreciated.
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
March 14, 2011, 11:11:32 PM Last edit: March 14, 2011, 11:23:42 PM by grondilu |
|
Well, it's not easy, since you must avoid quotes and anything that look like HTML, but I've managed to put "I am grondilu on eBay" in my contact information section on http://myworld.ebay.com/grondilu. Carriage returns are skipped, too. PS. I've filtered GnuPG's output through xxd -p. I think it's enough.
|
|
|
|
nanotube
|
|
March 15, 2011, 12:05:58 AM |
|
Well, it's not easy, since you must avoid quotes and anything that look like HTML, but I've managed to put "I am grondilu on eBay" in my contact information section on http://myworld.ebay.com/grondilu. Carriage returns are skipped, too. PS. I've filtered GnuPG's output through xxd -p. I think it's enough. yep, that works. unfortunate that they mangle input. also, i notice that it is possible to create custom categories in the bio - so maybe that can go under 'pgp key' category
|
|
|
|
phathash (OP)
Member
Offline
Activity: 75
Merit: 10
|
|
March 15, 2011, 08:27:23 AM |
|
actually, posting either just the key or just the id is not enough to verify anything, since i can post /anyone's/ key. what you need to do is post a clearsigned message saying "i, user <username> on ebay, hereby declare my ownership of <keyid>, as of <date>", signed with said key. ... comments appreciated.
True. clearsigned message -> SHA256 -> eBay my world ? Of course it doesn't help if the eBay account was hacked.
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
March 15, 2011, 02:35:38 PM |
|
True.
clearsigned message -> SHA256 -> eBay my world ?
Of course it doesn't help if the eBay account was hacked.
Well, if your account has been hacked, then you need to publish a message saying: "I used to be xxxx on eBay, but my account was hacked in 20xx."
|
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
March 16, 2011, 06:49:28 AM |
|
Instead of "gpg_identity=", what about some URI style format such as "GPG:"?
|
|
|
|
nanotube
|
|
March 16, 2011, 09:30:56 PM |
|
Instead of "gpg_identity=", what about some URI style format such as "GPG:"? is there any benefit to going uri-style?
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
March 16, 2011, 09:39:42 PM |
|
is there any benefit to going uri-style?
Not much, it's just shorter. Doesn't really matter anyway. I think one could just put nothing in front of the base-64, since this data is not supposed to be automatically parsed anyway.
|
|
|
|
nanotube
|
|
March 16, 2011, 10:01:40 PM |
|
is there any benefit to going uri-style?
Not much, it's just shorter. Doesn't really matter anyway. I think one could just put nothing in front of the base-64, since this data is not supposed to be automatically parsed anyway. mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
March 16, 2011, 10:46:54 PM |
|
mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
Why? It's one time thing, isn'it? Couldn't a human make the verification?
|
|
|
|
mndrix
Michael Hendricks
VIP
Sr. Member
Offline
Activity: 447
Merit: 258
|
|
March 16, 2011, 10:54:47 PM |
|
Why? It's one time thing, isn'it? Couldn't a human make the verification?
The idea is to facilitate repeated ownership verifications. So I leave a signature on my ebay account permanently. CoinPal, OTC and others can all verify that I control the account without my intervention.
|
|
|
|
nanotube
|
|
March 16, 2011, 10:55:54 PM |
|
mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
Why? It's one time thing, isn'it? Couldn't a human make the verification? so say you're running some site like... maybe coinpal , and you want to allow people to prove to you that they own an ebay account with X feedback. would you prefer to (a) do this automagically with some gpg verification code, or (b) hire a verifymonkey to do it manually? or, say you're on #bitcoin-otc and someone fairly new is offering a trade, and claims that he has a good ebay or amazon rating. would you rather go to their claimed ebay profile, and manually copy the string and verify gpg key, or run "getebaytrust <nick>" (or getamazontrust <nick>) and have automatic verification done for you? hope you get the idea. EDIT: heh, mndrix has stated the issue much more concisely, and with less snark, to boot.
|
|
|
|
grondilu
Legendary
Offline
Activity: 1288
Merit: 1080
|
|
March 16, 2011, 11:02:21 PM |
|
Ok I get it now.
|
|
|
|
|