Xenland (OP)
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
May 22, 2012, 11:58:31 PM |
|
I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?
|
|
|
|
JusticeForYou
VIP
Sr. Member
Offline
Activity: 490
Merit: 271
|
|
May 23, 2012, 12:02:57 AM |
|
I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?
Yes, and it has been done. But, you can verify the signature with the message. So, it depends on the message and what is said in it. If you are challenging some to just sign something though, you might want to add a nounce to the request. i.e. Sign the following... I am me. aksdjfkaksehkehje893929 with your gpg key.
|
|
|
|
. ..1xBit.com Super Six.. | ▄█████████████▄ ████████████▀▀▀ █████████████▄ █████████▌▀████ ██████████ ▀██ ██████████▌ ▀ ████████████▄▄ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ▀██████████████ | ███████████████ █████████████▀ █████▀▀ ███▀ ▄███ ▄ ██▄▄████▌ ▄█ ████████ ████████▌ █████████ ▐█ ██████████ ▐█ ███████▀▀ ▄██ ███▀ ▄▄▄█████ ███ ▄██████████ ███████████████ | ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ███████████▀▀▀█ ██████████ ███████████▄▄▄█ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ | ▄█████ ▄██████ ▄███████ ▄████████ ▄█████████ ▄██████████ ▄███████████ ▄████████████ ▄█████████████ ▄██████████████ ▀▀███████████ ▀▀███████ ▀▀██▀ | ▄▄██▌ ▄▄███████ █████████▀ ▄██▄▄▀▀██▀▀ ▄██████ ▄▄▄ ███████ ▄█▄ ▄ ▀██████ █ ▀█ ▀▀▀ ▄ ▀▄▄█▀ ▄▄█████▄ ▀▀▀ ▀████████ ▀█████▀ ████ ▀▀▀ █████ █████ | ▄ █▄▄ █ ▄ ▀▄██▀▀▀▀▀▀▀▀ ▀ ▄▄█████▄█▄▄ ▄ ▄███▀ ▀▀ ▀▀▄ ▄██▄███▄ ▀▀▀▀▄ ▄▄ ▄████████▄▄▄▄▄█▄▄▄██ ████████████▀▀ █ ▐█ ██████████████▄ ▄▄▀██▄██ ▐██████████████ ▄███ ████▀████████████▄███▀ ▀█▀ ▐█████████████▀ ▐████████████▀ ▀█████▀▀▀ █▀ | . Premier League LaLiga Serie A | . Bundesliga Ligue 1 Primeira Liga | | . ..TAKE PART.. |
|
|
|
JusticeForYou
VIP
Sr. Member
Offline
Activity: 490
Merit: 271
|
|
May 23, 2012, 12:34:19 AM |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's the only way to prove you are not Shakaru. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.orgiQIcBAEBAgAGBQJPvC9xAAoJEEA+/hj9AfY+26kP+wQHSDZ3sr+JbkGQRAcSwsVN ZCQBvt/Z7ugTIfdejjftsqmQ1IZGQURygNf05/I4KrMJ8ZyaMkQ7bjRLv6ntCxT8 f0UyJjk23NgwTNdIx2Xzn2w3+eb7XFD/fdF+YnnlDvsnNK1PUZsd2BJwl4FwFxr8 gd84G2raO1b3zE1ElPuAXlCaEGuzAMFAnXz079Ltf0PiBQgHmSWUs1hXj1VZGe/v v4470Z5lj43ALKmoF41mwy/EK0OuQHB9Zsaaq2MCr3t4DKuIBdadasOZXYHZQmtw Vv9FRU6X5l5BnYHxx64KEM7F4gRNqven0GI3oET/lHQjlk/y6GRvpVbv303F6qeg biW/BTacs9w7bmd7va/j/RIEr48UxClu4aQrHWVzERHxgwS524rIszEElIcKRI6t 1gFkFB43HXSsQtwJbE6i01p1cf+yT800dEQAPjnQ2kHjsUPOQPtq2gLndmqpyaK1 2qyFdnK2nWeKQ42EMYbdcrNLTNyAHvsEGY+lQexS3y2bcctfxF/7PGHddJAcrJNV BPWdeWpPIjzwQYdGmKR8W3SwPWtD+LSKoRaMExAk0rgoacEGL93twTIQhaj95CHr uYO7n4L9+x4YZFNTo3eY/V3JkFGEGWwddrU7tPV0mMtJZ9tt7iaQ7iifTMJoy37m ICE4mJnCQwQGkIJQKFrA =eDCW -----END PGP SIGNATURE----- LOL
|
|
|
|
. ..1xBit.com Super Six.. | ▄█████████████▄ ████████████▀▀▀ █████████████▄ █████████▌▀████ ██████████ ▀██ ██████████▌ ▀ ████████████▄▄ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ▀██████████████ | ███████████████ █████████████▀ █████▀▀ ███▀ ▄███ ▄ ██▄▄████▌ ▄█ ████████ ████████▌ █████████ ▐█ ██████████ ▐█ ███████▀▀ ▄██ ███▀ ▄▄▄█████ ███ ▄██████████ ███████████████ | ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ███████████▀▀▀█ ██████████ ███████████▄▄▄█ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ | ▄█████ ▄██████ ▄███████ ▄████████ ▄█████████ ▄██████████ ▄███████████ ▄████████████ ▄█████████████ ▄██████████████ ▀▀███████████ ▀▀███████ ▀▀██▀ | ▄▄██▌ ▄▄███████ █████████▀ ▄██▄▄▀▀██▀▀ ▄██████ ▄▄▄ ███████ ▄█▄ ▄ ▀██████ █ ▀█ ▀▀▀ ▄ ▀▄▄█▀ ▄▄█████▄ ▀▀▀ ▀████████ ▀█████▀ ████ ▀▀▀ █████ █████ | ▄ █▄▄ █ ▄ ▀▄██▀▀▀▀▀▀▀▀ ▀ ▄▄█████▄█▄▄ ▄ ▄███▀ ▀▀ ▀▀▄ ▄██▄███▄ ▀▀▀▀▄ ▄▄ ▄████████▄▄▄▄▄█▄▄▄██ ████████████▀▀ █ ▐█ ██████████████▄ ▄▄▀██▄██ ▐██████████████ ▄███ ████▀████████████▄███▀ ▀█▀ ▐█████████████▀ ▐████████████▀ ▀█████▀▀▀ █▀ | . Premier League LaLiga Serie A | . Bundesliga Ligue 1 Primeira Liga | | . ..TAKE PART.. |
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 23, 2012, 01:02:35 AM |
|
I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?
Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party. 99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.
|
|
|
|
drakahn
|
|
May 23, 2012, 02:33:16 AM |
|
I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy
|
14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
|
|
|
Garr255
Legendary
Offline
Activity: 938
Merit: 1000
What's a GPU?
|
|
May 23, 2012, 02:39:27 AM |
|
I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy
They are paying thousands of BTC for it, I'm sure whoever makes it could incorporate that. Post in on the software dev thread!
|
“First they ignore you, then they laugh at you, then they fight you, then you win.” -- Mahatma Gandhi
Average time between signing on to bitcointalk: Two weeks. Please don't expect responses any faster than that!
|
|
|
Xenland (OP)
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
May 23, 2012, 01:47:45 PM |
|
I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?
Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party. 99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would. Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 23, 2012, 01:53:32 PM Last edit: May 23, 2012, 02:14:27 PM by DeathAndTaxes |
|
Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?
Yes they are called public keys. You can exchange them out of band. I can email you my public key now (no really I can if you want it) and in the future you can verify all my signed messages. If a message validates against my public key it MUST have been signed by someone with access to the private key (which is assumed to be me). Well unless someone busts RSA or SHA-256 that is. There are also key exchange servers where I can upload my key and you can search for it. The "attacker" can certainly change the signature but the signature would either be invalid or it would be signed by his private key not mine. BTW I don't use GPG on this forum, never felt the need. However your thread did get me thinking I really can't believe chrome doesn't have a GPG exension which parse the page, detects the signature and validates it against public keys in the key ring. It could replace that wall of text with a "validated icon". That might be "the" killer app for GPG. I noticed you wrote PGP. PGP is closed source. GPG is a compatible FOSS (free open source software) variant.
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
May 23, 2012, 01:53:53 PM |
|
I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?
Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party. 99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would. Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of? Go do a read up on PGP: http://www.rpm.org/max-rpm/ch-pgp-intro.htmlIf the messages are changed, the signature will become invalid when checked.
|
|
|
|
JusticeForYou
VIP
Sr. Member
Offline
Activity: 490
Merit: 271
|
|
May 23, 2012, 02:00:09 PM |
|
I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?
Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party. 99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would. Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of? Not sure if serious... Yes, it is called a public key-server. You can verify that the message was written by the gpg(pgp) Nick that 'Wrote' it. Maybe not who posted it, but who wrote it. Reeses post was to show that you can't prove you're NOT someone with a post. If you want the person responding to your inquest to sign it, I would suggest that you ask them to add a nounce (some random data) of your choosing to the reply to insure that it is not a 'cut and paste' job. Do this simply because entire conversations to questions can be thought of ahead of time. However, beware that most keys here are not 'signed' by anytype of authority to prove IRL identity. So all you are really doing is confirming a gpg <Nick>. Most gpg nicks that want to protect a reputation here can be found in the WoT on the -otc. There are however a few people that have their keys signed by an authority and other members. An 'authority' is usually an respected organization that has some type of proof of IRL identity. Other members 'usually' don't sign someones keys unless they have met them but this isn't always the case. Edit: Didn't type fast enough.
|
|
|
|
. ..1xBit.com Super Six.. | ▄█████████████▄ ████████████▀▀▀ █████████████▄ █████████▌▀████ ██████████ ▀██ ██████████▌ ▀ ████████████▄▄ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ▀██████████████ | ███████████████ █████████████▀ █████▀▀ ███▀ ▄███ ▄ ██▄▄████▌ ▄█ ████████ ████████▌ █████████ ▐█ ██████████ ▐█ ███████▀▀ ▄██ ███▀ ▄▄▄█████ ███ ▄██████████ ███████████████ | ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ███████████▀▀▀█ ██████████ ███████████▄▄▄█ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ | ▄█████ ▄██████ ▄███████ ▄████████ ▄█████████ ▄██████████ ▄███████████ ▄████████████ ▄█████████████ ▄██████████████ ▀▀███████████ ▀▀███████ ▀▀██▀ | ▄▄██▌ ▄▄███████ █████████▀ ▄██▄▄▀▀██▀▀ ▄██████ ▄▄▄ ███████ ▄█▄ ▄ ▀██████ █ ▀█ ▀▀▀ ▄ ▀▄▄█▀ ▄▄█████▄ ▀▀▀ ▀████████ ▀█████▀ ████ ▀▀▀ █████ █████ | ▄ █▄▄ █ ▄ ▀▄██▀▀▀▀▀▀▀▀ ▀ ▄▄█████▄█▄▄ ▄ ▄███▀ ▀▀ ▀▀▄ ▄██▄███▄ ▀▀▀▀▄ ▄▄ ▄████████▄▄▄▄▄█▄▄▄██ ████████████▀▀ █ ▐█ ██████████████▄ ▄▄▀██▄██ ▐██████████████ ▄███ ████▀████████████▄███▀ ▀█▀ ▐█████████████▀ ▐████████████▀ ▀█████▀▀▀ █▀ | . Premier League LaLiga Serie A | . Bundesliga Ligue 1 Primeira Liga | | . ..TAKE PART.. |
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5376
Merit: 13420
|
|
May 23, 2012, 02:25:46 PM |
|
I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy
How could it be made easier? I've thought about it in the past but I couldn't think of any major improvements that wouldn't also hurt security.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Xenland (OP)
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
May 23, 2012, 02:27:39 PM |
|
Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?
Yes they are called public keys. You can exchange them out of band. I can email you my public key now (no really I can if you want it) and in the future you can verify all my signed messages. If a message validates against my public key it MUST have been signed by someone with access to the private key (which is assumed to be me). Well unless someone busts RSA or SHA-256 that is. There are also key exchange servers where I can upload my key and you can search for it. The "attacker" can certainly change the signature but the signature would either be invalid or it would be signed by his private key not mine. BTW I don't use GPG on this forum, never felt the need. However your thread did get me thinking I really can't believe chrome doesn't have a GPG exension which parse the page, detects the signature and validates it against public keys in the key ring. It could replace that wall of text with a "validated icon". That might be "the" killer app for GPG. I noticed you wrote PGP. PGP is closed source. GPG is a compatible FOSS (free open source software) variant. Ah! see i was assuming too much -- So basically only those who can check is those who've previously talked to me and saved my public key thing.
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5376
Merit: 13420
|
|
May 23, 2012, 02:33:06 PM |
|
Ah! see i was assuming too much -- So basically only those who can check is those who've previously talked to me and saved my public key thing.
They don't need to talk to you. They can just download your key from a keyserver the first time and hope it's accurate. Or they can check to see if anyone they do already trust has signed your key.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Xenland (OP)
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
May 23, 2012, 03:08:44 PM |
|
Today I have an epiphany. This encryption is all coming together how this is all connected.
|
|
|
|
dooglus
Legendary
Online
Activity: 2940
Merit: 1333
|
|
May 23, 2012, 11:46:04 PM |
|
you might want to add a nounce
ask them to add a nounce
It's "nonce". As in "n once". A value that you only use "once". Not to be confused with http://www.urbandictionary.com/define.php?term=nonce.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
JusticeForYou
VIP
Sr. Member
Offline
Activity: 490
Merit: 271
|
|
May 24, 2012, 01:56:48 AM |
|
LOL, common you have to show it: 1. nounce Standard greeting, or description. ADJ: That shits nounce man. Verb: Nounce that shit. "Nounce bitches! What's goin on?" It seemed apropos in this circumstance. Geesh... spoiled sport.
|
|
|
|
. ..1xBit.com Super Six.. | ▄█████████████▄ ████████████▀▀▀ █████████████▄ █████████▌▀████ ██████████ ▀██ ██████████▌ ▀ ████████████▄▄ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ▀██████████████ | ███████████████ █████████████▀ █████▀▀ ███▀ ▄███ ▄ ██▄▄████▌ ▄█ ████████ ████████▌ █████████ ▐█ ██████████ ▐█ ███████▀▀ ▄██ ███▀ ▄▄▄█████ ███ ▄██████████ ███████████████ | ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ███████████▀▀▀█ ██████████ ███████████▄▄▄█ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ | ▄█████ ▄██████ ▄███████ ▄████████ ▄█████████ ▄██████████ ▄███████████ ▄████████████ ▄█████████████ ▄██████████████ ▀▀███████████ ▀▀███████ ▀▀██▀ | ▄▄██▌ ▄▄███████ █████████▀ ▄██▄▄▀▀██▀▀ ▄██████ ▄▄▄ ███████ ▄█▄ ▄ ▀██████ █ ▀█ ▀▀▀ ▄ ▀▄▄█▀ ▄▄█████▄ ▀▀▀ ▀████████ ▀█████▀ ████ ▀▀▀ █████ █████ | ▄ █▄▄ █ ▄ ▀▄██▀▀▀▀▀▀▀▀ ▀ ▄▄█████▄█▄▄ ▄ ▄███▀ ▀▀ ▀▀▄ ▄██▄███▄ ▀▀▀▀▄ ▄▄ ▄████████▄▄▄▄▄█▄▄▄██ ████████████▀▀ █ ▐█ ██████████████▄ ▄▄▀██▄██ ▐██████████████ ▄███ ████▀████████████▄███▀ ▀█▀ ▐█████████████▀ ▐████████████▀ ▀█████▀▀▀ █▀ | . Premier League LaLiga Serie A | . Bundesliga Ligue 1 Primeira Liga | | . ..TAKE PART.. |
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
May 29, 2012, 06:24:40 AM |
|
99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.
There is an extension for Firefox that does exactly what you are asking.
|
|
|
|
realnowhereman
|
|
May 29, 2012, 06:38:29 AM |
|
If the forum supported openpgp then it wouldn't be too hard to have the email verification enhanced with identity verification. If we remember that a signature on a public key fundamentally only says that the claimed owner is verified by the signer then the forum software could sign keys and we would only need to trust the forum public key to get quite an extensive web.
|
1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
|
|
|
sisenor
Newbie
Offline
Activity: 17
Merit: 0
|
|
February 21, 2014, 08:30:25 AM |
|
I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy
How could it be made easier? I've thought about it in the past but I couldn't think of any major improvements that wouldn't also hurt security. Resurrecting this thread because I noticed nobody responded to the forum admin posting that he's interested in incorporating a pgp feature set into the forum software . . .I'd love it too but don't myself have any suggestions. Anybody else??
|
|
|
|
Raize
Donator
Legendary
Offline
Activity: 1419
Merit: 1015
|
|
February 21, 2014, 08:41:21 PM |
|
Resurrecting this thread because I noticed nobody responded to the forum admin posting that he's interested in incorporating a pgp feature set into the forum software . . .I'd love it too but don't myself have any suggestions. Anybody else??
One possible solution would be to implement off-site Javascript code like Blockchain.info that would pull down an encrypted version of someone's private pgp key that they could decrypt with a known password. They could then use it plus their recipient's public key to encrypt their message/PM and send that back to the server which stores it. I don't even know the beginning of how to write code for something like this, but it should be doable in node.js I'd imagine. All the same things could also be done, like emailing a backup of the key as a .json file, also encrypted with their "password". I'd also recommend that, however they do this they make or allow the password to obviously be different from the forum login/password.
|
|
|
|
|