Whats the point of PGP signatures in BitcoinTalk messagess?

[Xenland]

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

[JusticeForYou]

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Yes, and it has been done.

But, you can verify the signature with the message. So, it depends on the message and what is said in it.

If you are challenging some to just sign something though, you might want to add a nounce to the request.

i.e. Sign the following...

I am me.  aksdjfkaksehkehje893929


with your gpg key.

[JusticeForYou]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's the only way to prove you are not Shakaru.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPvC9xAAoJEEA+/hj9AfY+26kP+wQHSDZ3sr+JbkGQRAcSwsVN
ZCQBvt/Z7ugTIfdejjftsqmQ1IZGQURygNf05/I4KrMJ8ZyaMkQ7bjRLv6ntCxT8
f0UyJjk23NgwTNdIx2Xzn2w3+eb7XFD/fdF+YnnlDvsnNK1PUZsd2BJwl4FwFxr8
gd84G2raO1b3zE1ElPuAXlCaEGuzAMFAnXz079Ltf0PiBQgHmSWUs1hXj1VZGe/v
v4470Z5lj43ALKmoF41mwy/EK0OuQHB9Zsaaq2MCr3t4DKuIBdadasOZXYHZQmtw
Vv9FRU6X5l5BnYHxx64KEM7F4gRNqven0GI3oET/lHQjlk/y6GRvpVbv303F6qeg
biW/BTacs9w7bmd7va/j/RIEr48UxClu4aQrHWVzERHxgwS524rIszEElIcKRI6t
1gFkFB43HXSsQtwJbE6i01p1cf+yT800dEQAPjnQ2kHjsUPOQPtq2gLndmqpyaK1
2qyFdnK2nWeKQ42EMYbdcrNLTNyAHvsEGY+lQexS3y2bcctfxF/7PGHddJAcrJNV
BPWdeWpPIjzwQYdGmKR8W3SwPWtD+LSKoRaMExAk0rgoacEGL93twTIQhaj95CHr
uYO7n4L9+x4YZFNTo3eY/V3JkFGEGWwddrU7tPV0mMtJZ9tt7iaQ7iifTMJoy37m
ICE4mJnCQwQGkIJQKFrA
=eDCW
-----END PGP SIGNATURE-----

LOL

[DeathAndTaxes]

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

[drakahn]

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

[Garr255]

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

They are paying thousands of BTC for it, I'm sure whoever makes it could incorporate that. Post in on the software dev thread!

[Xenland]

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

[DeathAndTaxes]

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Yes they are called public keys.  You can exchange them out of band.  I can email you my public key now (no really I can if you want it) and in the future you can verify all my signed messages.  If a message validates against my public key it MUST have been signed by someone with access to the private key (which is assumed to be me).  Well unless someone busts RSA or SHA-256 that is.

There are also key exchange servers where I can upload my key and you can search for it.  The "attacker" can certainly change the signature but the signature would either be invalid or it would be signed by his private key not mine.

BTW I don't use GPG on this forum, never felt the need.  However your thread did get me thinking I really can't believe chrome doesn't have a GPG exension which parse the page, detects the signature and validates it against public keys in the key ring.  It could replace that wall of text with a "validated icon".

That might be "the" killer app for GPG.  I noticed you wrote PGP.  PGP is closed source.  GPG is a compatible FOSS (free open source software) variant.

[John (John K.)]

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Go do a read up on PGP: http://www.rpm.org/max-rpm/ch-pgp-intro.html
If the messages are changed, the signature will become invalid when checked.

[JusticeForYou]

I don't get it why would some one put a PGP signature? wouldn't someone just copy the message and paste it into their "owned" PGP signature with the new message and paste that PGP sig with the new message? No one wouldn't even know the diff?

Well to anyone who checked the sig it would be immediately obvious that message has been changed or that it isn't signed by the expected party.

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Not sure if serious...

Yes, it is called a public key-server.

You can verify that the message was written by the gpg(pgp) Nick that 'Wrote' it. Maybe not who posted it, but who wrote it. Reeses post was to show that you can't prove you're NOT someone with a post.

If you want the person responding to your inquest to sign it, I would suggest that you ask them to add a nounce (some random data) of your choosing to the reply to insure that it is not a 'cut and paste' job. Do this simply because entire conversations to questions can be thought of ahead of time.

However, beware that most keys here are not 'signed' by anytype of authority to prove IRL identity. So all you are really doing is confirming a gpg <Nick>. Most gpg nicks that want to protect a reputation here can be found in the WoT on the -otc.  There are however a few people that have their keys signed by an authority and other members. An 'authority' is usually an respected organization that has some type of proof of IRL identity. Other members 'usually' don't sign someones keys unless they have met them but this isn't always the case.


Edit: Didn't type fast enough.

[theymos]

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

How could it be made easier? I've thought about it in the past but I couldn't think of any major improvements that wouldn't also hurt security.

[Xenland]

Well i assume that the sig would be changed too if the messages can be, I still don't get how any of the PGP signatures linked to identity in some way is there database look up that has identity associations with it I'm not aware of?

Yes they are called public keys.  You can exchange them out of band.  I can email you my public key now (no really I can if you want it) and in the future you can verify all my signed messages.  If a message validates against my public key it MUST have been signed by someone with access to the private key (which is assumed to be me).  Well unless someone busts RSA or SHA-256 that is.

There are also key exchange servers where I can upload my key and you can search for it.  The "attacker" can certainly change the signature but the signature would either be invalid or it would be signed by his private key not mine.

BTW I don't use GPG on this forum, never felt the need.  However your thread did get me thinking I really can't believe chrome doesn't have a GPG exension which parse the page, detects the signature and validates it against public keys in the key ring.  It could replace that wall of text with a "validated icon".

That might be "the" killer app for GPG.  I noticed you wrote PGP.  PGP is closed source.  GPG is a compatible FOSS (free open source software) variant.

Ah! see i was assuming too much -- So basically only those who can check is those who've previously talked to me and saved my public key thing.

[theymos]

Ah! see i was assuming too much -- So basically only those who can check is those who've previously talked to me and saved my public key thing.

They don't need to talk to you. They can just download your key from a keyserver the first time and hope it's accurate. Or they can check to see if anyone they do already trust has signed your key.

[Xenland]

Today I have an epiphany. This encryption is all coming together how this is all connected.

[dooglus]

you might want to add a nounce

ask them to add a nounce

It's "nonce".  As in "n once".  A value that you only use "once".

Not to be confused with http://www.urbandictionary.com/define.php?term=nonce.

[JusticeForYou]

you might want to add a nounce

ask them to add a nounce

It's "nonce".  As in "n once".  A value that you only use "once".

Not to be confused with http://www.urbandictionary.com/define.php?term=nonce.

LOL, common you have to show it:

1.    nounce
Standard greeting, or description.
ADJ: That shits nounce man.
Verb: Nounce that shit.

"Nounce bitches! What's goin on?"

It seemed apropos in this circumstance. Geesh... spoiled sport. 

[justusranvier]

99% of people won't validate the sig (would be nice if some browser auto-validated sigs) but the signature is for the 1% who would.

There is an extension for Firefox that does exactly what you are asking.

[realnowhereman]

If the forum supported openpgp then it wouldn't be too hard to have the email verification enhanced with identity verification. If we remember that a signature on a public key fundamentally only says that the claimed owner is verified by the signer then the forum software could sign keys and we would only need to trust the forum public key to get quite an extensive web.

[sisenor]

I wonder if the "new forum software" could include a feature that makes signing/veryfying with pgp(or bitcoin addresses) easy

How could it be made easier? I've thought about it in the past but I couldn't think of any major improvements that wouldn't also hurt security.

Resurrecting this thread because I noticed nobody responded to the forum admin posting that he's interested in incorporating a pgp feature set into the forum software . . .I'd love it too but don't myself have any suggestions.  Anybody else??

[Raize]

Resurrecting this thread because I noticed nobody responded to the forum admin posting that he's interested in incorporating a pgp feature set into the forum software . . .I'd love it too but don't myself have any suggestions.  Anybody else??

One possible solution would be to implement off-site Javascript code like Blockchain.info that would pull down an encrypted version of someone's private pgp key that they could decrypt with a known password. They could then use it plus their recipient's public key to encrypt their message/PM and send that back to the server which stores it. I don't even know the beginning of how to write code for something like this, but it should be doable in node.js I'd imagine. All the same things could also be done, like emailing a backup of the key as a .json file, also encrypted with their "password". I'd also recommend that, however they do this they make or allow the password to obviously be different from the forum login/password.