Whats the point of PGP signatures in BitcoinTalk messagess?

[JusticeForYou]

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Why not just type your message and put a nounce in it to ensure it's not a copy paste.

21FEB14 15:00 PGP etc… 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTB8JYAAoJEB2k6OhXVIbDCaoQAI6+0PhV4o0hSPKysmKKcXDo
beZrpnHbbc1VHZruy6RpIeRheGkl79DyH5tfTv1ImJzsBt2tOWBT3xnBeFg+MNBS
wWSYn+j1yjty8+RHADaIQtlnQZGuvVP+0TBQ9HlgZM5+fal0/tXD8+hA+Dog2QxL
ldFQJMGK/OnB1z8yGp6/BRXTR0JcZ0sbk5N13P7qQoGVETSaPRsSJ4HqG/ePAx+V
XnfrWgq9FhR7caNPani6gO99J4LeKHLg+OImzsQijAW7hcoAyIO4KTNvKGzeyWFM
wPim1VPgp9Cwuf2zB+wmr35bN73/SzDCQlxtQ2B61nMrzbCtWIL+tA5ITihBQ5BX
PfSYGRgiXRiruKTp3bsd7lhAPKcw5HLUF54wKGz8qPLIR73yWuUxRPYnRzuUTEJb
j+CbU+ZRtxtixHPHhzyZORWxP0oqN/tCZF7fmBFhnXPkovQlvQDcClZX9lhVCX2O
vvT6VSm7gaY4WI7XNpWKXinhlLU5PzSZ7TSESi1iXXS0hDZjHRgRv4hEcOW9bxtg
6VnI1DWnY8U+4yjbKm58xphM7eId+ozHm4ovomrv2YU6lb5PA92k0EEqwOqjS3wO
lX1pI93xz024n0uj/wew4c7avJ7NBMSSdE5t6f4BzgCJZQzjNsi8oPLtfHxqR4Y6
RL5ccKTdhEMNOFdeiE0/
=rYYY
-----END PGP SIGNATURE-----

[1715074321]

1715074321

[1715074321]

1715074321

[1715074321]

1715074321

[1715074321]

1715074321

[theymos]

One possible solution would be to implement off-site Javascript code like Blockchain.info that would pull down an encrypted version of someone's private pgp key that they could decrypt with a known password. They could then use it plus their recipient's public key to encrypt their message/PM and send that back to the server which stores it. I don't even know the beginning of how to write code for something like this, but it should be doable in node.js I'd imagine. All the same things could also be done, like emailing a backup of the key as a .json file, also encrypted with their "password". I'd also recommend that, however they do this they make or allow the password to obviously be different from the forum login/password.

JavaScript crypto is mostly useless because the server can change the JavaScript at any time to steal your password unless your browser stops this somehow, which is very unusual.

[whiskers75]

I wish people would actually sign my key
(subliminal message: GPG sign key AF9D0779)

[Raize]

JavaScript crypto is mostly useless because the server can change the JavaScript at any time to steal your password unless your browser stops this somehow, which is very unusual.

Yes, this is correct. I thought BC.i "fixed" this by having a browser extension you could download though. Of course, that only complicates matters because then every time they update then you want to download a new browser extension.

One way you could run a Javascript-checker would be to have "audit servers" and every time you connect it would recommend verifying with at least two "audit servers" that the code you are running is the correct hash/version. From what I understand bitaddress.org and other js intended-to-be-run-offline wallets have this issue as well.

This is why I was kind of interested in what Sirius is working on. If he could make an independent audit server that random folks could run to verify each others sites, we'd have a "community of consensus" that we're all running code each of us has actually written.