Bitcoin Forum
December 04, 2016, 06:32:11 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Whats the point of PGP signatures in BitcoinTalk messagess?  (Read 2147 times)
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
May 22, 2012, 11:58:31 PM
 #1

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480876331
Hero Member
*
Offline Offline

Posts: 1480876331

View Profile Personal Message (Offline)

Ignore
1480876331
Reply with quote  #2

1480876331
Report to moderator
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 23, 2012, 12:02:57 AM
 #2

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Yes, and it has been done.

But, you can verify the signature with the message. So, it depends on the message and what is said in it.

If you are challenging some to just sign something though, you might want to add a nounce to the request.

i.e. Sign the following...

I am me.  aksdjfkaksehkehje893929


with your gpg key.


Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 23, 2012, 12:34:19 AM
 #3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's the only way to prove you are not Shakaru.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPvC9xAAoJEEA+/hj9AfY+26kP+wQHSDZ3sr+JbkGQRAcSwsVN
ZCQBvt/Z7ugTIfdejjftsqmQ1IZGQURygNf05/I4KrMJ8ZyaMkQ7bjRLv6ntCxT8
f0UyJjk23NgwTNdIx2Xzn2w3+eb7XFD/fdF+YnnlDvsnNK1PUZsd2BJwl4FwFxr8
gd84G2raO1b3zE1ElPuAXlCaEGuzAMFAnXz079Ltf0PiBQgHmSWUs1hXj1VZGe/v
v4470Z5lj43ALKmoF41mwy/EK0OuQHB9Zsaaq2MCr3t4DKuIBdadasOZXYHZQmtw
Vv9FRU6X5l5BnYHxx64KEM7F4gRNqven0GI3oET/lHQjlk/y6GRvpVbv303F6qeg
biW/BTacs9w7bmd7va/j/RIEr48UxClu4aQrHWVzERHxgwS524rIszEElIcKRI6t
1gFkFB43HXSsQtwJbE6i01p1cf+yT800dEQAPjnQ2kHjsUPOQPtq2gLndmqpyaK1
2qyFdnK2nWeKQ42EMYbdcrNLTNyAHvsEGY+lQexS3y2bcctfxF/7PGHddJAcrJNV
BPWdeWpPIjzwQYdGmKR8W3SwPWtD+LSKoRaMExAk0rgoacEGL93twTIQhaj95CHr
uYO7n4L9+x4YZFNTo3eY/V3JkFGEGWwddrU7tPV0mMtJZ9tt7iaQ7iifTMJoy37m
ICE4mJnCQwQGkIJQKFrA
=eDCW
-----END PGP SIGNATURE-----


LOL

Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
May 23, 2012, 01:02:35 AM
 #4

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.
drakahn
Hero Member
*****
Offline Offline

Activity: 504



View Profile
May 23, 2012, 02:33:16 AM
 #5

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
Garr255
Legendary
*
Offline Offline

Activity: 952


What's a GPU?


View Profile
May 23, 2012, 02:39:27 AM
 #6

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

They are paying thousands of BTC for it, I'm sure whoever makes it could incorporate that. Post in on the software dev thread!

“First they ignore you, then they laugh at you, then they fight you, then you win.”  -- Mahatma Gandhi

Average time between signing on to bitcointalk: Two weeks. Please don't expect responses any faster than that!
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
May 23, 2012, 01:47:45 PM
 #7

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
May 23, 2012, 01:53:32 PM
 #8

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Yes they are called public keys.  You can exchange them out of band.  I can email you my public key now (no really I can if you want it) and in the future you can verify all my signed messages.  If a message validates against my public key it MUST have been signed by someone with access to the private key (which is assumed to be me).  Well unless someone busts RSA or SHA-256 that is. Smiley

There are also key exchange servers where I can upload my key and you can search for it.  The "attacker" can certainly change the signature but the signature would either be invalid or it would be signed by his private key not mine.

BTW I don't use GPG on this forum, never felt the need.  However your thread did get me thinking I really can't believe chrome doesn't have a GPG exension which parse the page, detects the signature and validates it against public keys in the key ring.  It could replace that wall of text with a "validated icon".

That might be "the" killer app for GPG.  I noticed you wrote PGP.  PGP is closed source.  GPG is a compatible FOSS (free open source software) variant.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
May 23, 2012, 01:53:53 PM
 #9

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Go do a read up on PGP: http://www.rpm.org/max-rpm/ch-pgp-intro.html
If the messages are changed, the signature will become invalid when checked.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 23, 2012, 02:00:09 PM
 #10

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Not sure if serious...

Yes, it is called a public key-server.

You can verify that the message was written by the gpg(pgp) Nick that 'Wrote' it. Maybe not who posted it, but who wrote it. Reeses post was to show that you can't prove you're NOT someone with a post.

If you want the person responding to your inquest to sign it, I would suggest that you ask them to add a nounce (some random data) of your choosing to the reply to insure that it is not a 'cut and paste' job. Do this simply because entire conversations to questions can be thought of ahead of time.

However, beware that most keys here are not 'signed' by anytype of authority to prove IRL identity. So all you are really doing is confirming a gpg <Nick>. Most gpg nicks that want to protect a reputation here can be found in the WoT on the -otc.  There are however a few people that have their keys signed by an authority and other members. An 'authority' is usually an respected organization that has some type of proof of IRL identity. Other members 'usually' don't sign someones keys unless they have met them but this isn't always the case.


Edit: Didn't type fast enough. Smiley

Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
May 23, 2012, 02:25:46 PM
 #11

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

How could it be made easier? I've thought about it in the past but I couldn't think of any major improvements that wouldn't also hurt security.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
May 23, 2012, 02:27:39 PM
 #12

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Yes they are called public keys.  You can exchange them out of band.  I can email you my public key now (no really I can if you want it) and in the future you can verify all my signed messages.  If a message validates against my public key it MUST have been signed by someone with access to the private key (which is assumed to be me).  Well unless someone busts RSA or SHA-256 that is. Smiley

There are also key exchange servers where I can upload my key and you can search for it.  The "attacker" can certainly change the signature but the signature would either be invalid or it would be signed by his private key not mine.

BTW I don't use GPG on this forum, never felt the need.  However your thread did get me thinking I really can't believe chrome doesn't have a GPG exension which parse the page, detects the signature and validates it against public keys in the key ring.  It could replace that wall of text with a "validated icon".

That might be "the" killer app for GPG.  I noticed you wrote PGP.  PGP is closed source.  GPG is a compatible FOSS (free open source software) variant.

Ah! see i was assuming too much -- So basically only those who can check is those who've previously talked to me and saved my public key thing.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
May 23, 2012, 02:33:06 PM
 #13

Ah! see i was assuming too much -- So basically only those who can check is those who've previously talked to me and saved my public key thing.

They don't need to talk to you. They can just download your key from a keyserver the first time and hope it's accurate. Or they can check to see if anyone they do already trust has signed your key.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
May 23, 2012, 03:08:44 PM
 #14

Today I have an epiphany. This encryption is all coming together how this is all connected.
dooglus
Legendary
*
Offline Offline

Activity: 1988



View Profile
May 23, 2012, 11:46:04 PM
 #15

you might want to add a nounce

ask them to add a nounce

It's "nonce".  As in "n once".  A value that you only use "once".

Not to be confused with http://www.urbandictionary.com/define.php?term=nonce.

BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 24, 2012, 01:56:48 AM
 #16

you might want to add a nounce

ask them to add a nounce

It's "nonce".  As in "n once".  A value that you only use "once".

Not to be confused with http://www.urbandictionary.com/define.php?term=nonce.


LOL, common you have to show it:

1.    nounce
Standard greeting, or description.
ADJ: That shits nounce man.
Verb: Nounce that shit.

"Nounce bitches! What's goin on?"

It seemed apropos in this circumstance. Geesh... spoiled sport. 

Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
May 29, 2012, 06:24:40 AM
 #17

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.
There is an extension for Firefox that does exactly what you are asking.
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504



View Profile
May 29, 2012, 06:38:29 AM
 #18

If the forum supported openpgp then it wouldn't be too hard to have the email verification enhanced with identity verification. If we remember that a signature on a public key fundamentally only says that the claimed owner is verified by the signer then the forum software could sign keys and we would only need to trust the forum public key to get quite an extensive web.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
sisenor
Newbie
*
Offline Offline

Activity: 17


View Profile
February 21, 2014, 08:30:25 AM
 #19

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

How could it be made easier? I've thought about it in the past but I couldn't think of any major improvements that wouldn't also hurt security.

Resurrecting this thread because I noticed nobody responded to the forum admin posting that he's interested in incorporating a pgp feature set into the forum software . . .I'd love it too but don't myself have any suggestions.  Anybody else??
Raize
Donator
Legendary
*
Offline Offline

Activity: 1374


View Profile
February 21, 2014, 08:41:21 PM
 #20

Resurrecting this thread because I noticed nobody responded to the forum admin posting that he's interested in incorporating a pgp feature set into the forum software . . .I'd love it too but don't myself have any suggestions.  Anybody else??

One possible solution would be to implement off-site Javascript code like Blockchain.info that would pull down an encrypted version of someone's private pgp key that they could decrypt with a known password. They could then use it plus their recipient's public key to encrypt their message/PM and send that back to the server which stores it. I don't even know the beginning of how to write code for something like this, but it should be doable in node.js I'd imagine. All the same things could also be done, like emailing a backup of the key as a .json file, also encrypted with their "password". I'd also recommend that, however they do this they make or allow the password to obviously be different from the forum login/password.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!