Bitcoin Forum
December 08, 2016, 06:17:53 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: Key-signing party!  (Read 5939 times)
Ryland R. Taylor-Almanza
Hero Member
*****
Offline Offline

Activity: 812



View Profile
May 29, 2011, 11:24:39 PM
 #41

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm Jason Keith. One of many it seems and although you won't find me on the first couple of
pages of a Google search, you can reach me at jasonkeith@gmail.com. My fingerprint is
E936 B8CB 8537 02A1 144E  FFB0 BBF5 676B 15DD FC58 Send me an email with
15DDFC58 and Bitcoin in the subject and I'll get back to you.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJN4ojuAAoJELv1Z2sV3fxYDwQP/2jwS3bBv0+wvP68EK5zXwvK
g9kjBBmkDBbl48unsUGOShzQcfB/Tt724BiBe8AXAHrYBpFO+SCIpQ7h5emncJXP
fg74ux231lrnq+fq0xkTL0mjj04yXUEg8vVjIvKyXE0nw4cR3PY0cibiwzZWS0pP
9iR6gQZGJtvn9nIQJIqW/LTkUGRXRoEDZByqllLM3icWHhX3E8ilrw9MtsLqQtJW
4Zye5vpJlBcPMStIknikZ9OShW/h3H/9exVjZxpo0ZJiTv57mCWWvx4UBnVzVyAT
bJV7aNQjkUvneMNTaxwH5tQfbDkwGkEpKt8iFza2yBPzhIovFAU6ePim0qnPop4m
W43JqfA/QlIQM8FjH2BtBegT7/7rI3Eg97fNLYbW0qxDs57HZZlHtyF4fJZh7Yed
R4bRHJS7iXrX/YIoDiWO+giamc1ZjABOI0GFoHUmtPxOcBXVR3ITkthiy6SjqESW
ACunjQYKI1MeWjtYSqZjbFxUahkJArWd3Hjph3OAiQMscw59cQV0P5NXKNQWrxaL
k96PNuhOin/qRKXWXN9NNqXlRNfqZCNAXVlijgZGkI4Sewh++BIma+e0LIfahzYo
yd+TmXE3rzFFrF6Vv016mcpf2d3ZyWoAYgrAc8zuTb/WOTiDsj7TqJSEpmoC/rZY
MzQ+pegx7DBdhUmT7fvo
=/+pd
-----END PGP SIGNATURE-----
I signed it for you. Smiley Care to sign mine? http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF37B04E9CB0C8D51
Let me know if you need help.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481177873
Hero Member
*
Offline Offline

Posts: 1481177873

View Profile Personal Message (Offline)

Ignore
1481177873
Reply with quote  #2

1481177873
Report to moderator
1481177873
Hero Member
*
Offline Offline

Posts: 1481177873

View Profile Personal Message (Offline)

Ignore
1481177873
Reply with quote  #2

1481177873
Report to moderator
1481177873
Hero Member
*
Offline Offline

Posts: 1481177873

View Profile Personal Message (Offline)

Ignore
1481177873
Reply with quote  #2

1481177873
Report to moderator
Ryland R. Taylor-Almanza
Hero Member
*****
Offline Offline

Activity: 812



View Profile
May 29, 2011, 11:28:03 PM
 #42

Trying this again with the canned response feature from Google. I even added my own line breaks where necessary. It should work now, but I'm sure I'll find out if it doesn't.
Still no auto response for me.
billyjoeallen
Legendary
*
Offline Offline

Activity: 966


Hide your women


View Profile WWW
May 30, 2011, 12:42:02 AM
 #43

I want to get a key pair, but I'm a cryptonoob. could you please point me somewhere to get started? It took me two days to get truecrypt and TOR up and running. tnx.

insert coin here:
1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc

Open an exchange account at CampBX: options, lowest commissions, and best security
https://campbx.com/register.php?r=0Y7YxohTV0B
Jason Keith
Newbie
*
Offline Offline

Activity: 24


View Profile
May 30, 2011, 02:07:03 AM
 #44

Thanks, Jason.  Did you upload it as well?  I can't seem to find the key with your signature on it…
Sorry Klaus. I must have been thinking I'd done that from within Enigmail last night. I've been trying to look for a way to do that from within GPA or Enigmail but I suppose I have to use the CLI. I guess I haven't uploaded Ian's key to the server either in that case so I'll do it now.

https://secure.bitcoinid.com?i=b595fe5a22bfd11ca49758f96b54998fed300820d43534ed84b22042 (https://secure.bitcoinid.com?i=b595fe5a22bfd11ca49758f96b54998fed300820d43534ed84b22042)
kgo
Hero Member
*****
Offline Offline

Activity: 548


View Profile
May 30, 2011, 02:23:12 AM
 #45

I want to get a key pair, but I'm a cryptonoob. could you please point me somewhere to get started? It took me two days to get truecrypt and TOR up and running. tnx.

I'd start with either the GNU Privacy Handbook or the Enigmail Handbook.  If you're really new to all this and don't like the command line, I'd recommend getting enigmail working first, and then reading the GNU Privacy Handbook to understand some more comments.

http://www.gnupg.org/gph/en/manual.html

http://enigmail.mozdev.org/documentation/handbook.php.html
kgo
Hero Member
*****
Offline Offline

Activity: 548


View Profile
May 30, 2011, 02:42:11 AM
 #46

Everyone needs to define their own trust/threat model, so I'm not saying anyone is doing anything wrong here here, but I wouldn't sign someone's key without getting the fingerprint in person (or at least on skype after a history of back-and-forth signed emails.)

I do, however, have the PGP Global Directory signed locally on my setup.  So anyone who gets their key verified on PGP Global Directory shows up as valid to me.  This basically provides the same key/email validation without me (or you) having to vouch for someone else's identity publicly:

https://keyserver.pgp.com/vkd/GetWelcomeScreen.event

People might want to take a look at that and sign up.

And while I've got the attention of a bunch of people interested in OpenPGP, I'm still selling a Hardware OpenPGP smartcard/token combo for 9 BTC:

http://forum.bitcoin.org/index.php?topic=9582.0
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
May 30, 2011, 04:59:50 AM
 #47


I wouldn't sign someone's key without getting the fingerprint in person (or at least on skype after a history of back-and-forth signed emails.)

I do, however, have the PGP Global Directory signed locally on my setup.  So anyone who gets their key verified on PGP Global Directory shows up as valid to me.

Perhaps I'm missing something, but how is the verification by the PGP Global Directory different from what we're doing here?

At the Global Directory I uploaded my key, then received an email with a confirmation link in it.  Once I clicked the link, my key was signed.  I have shown that I have access to the email account mentioned in the key.

Here we post a signed message with instructions (and key fingerprint).  The potential verifier receives a signed message back that points to the first signed message.  I have not only shown that I have access to the email account mentioned in the key, but also that I have access to the key.  It would seem to me that this method is a tad better at verifying that the email address and the key goes together.

Have I missed anything?

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
May 30, 2011, 05:05:02 AM
 #48


I want to get a key pair, but I'm a cryptonoob. could you please point me somewhere to get started? It took me two days to get truecrypt and TOR up and running. tnx.

Please see the GPG Quick Start.  Comes in more than one flavour.

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
kgo
Hero Member
*****
Offline Offline

Activity: 548


View Profile
May 30, 2011, 09:28:22 PM
 #49


I wouldn't sign someone's key without getting the fingerprint in person (or at least on skype after a history of back-and-forth signed emails.)

I do, however, have the PGP Global Directory signed locally on my setup.  So anyone who gets their key verified on PGP Global Directory shows up as valid to me.

Perhaps I'm missing something, but how is the verification by the PGP Global Directory different from what we're doing here?

At the Global Directory I uploaded my key, then received an email with a confirmation link in it.  Once I clicked the link, my key was signed.  I have shown that I have access to the email account mentioned in the key.

Here we post a signed message with instructions (and key fingerprint).  The potential verifier receives a signed message back that points to the first signed message.  I have not only shown that I have access to the email account mentioned in the key, but also that I have access to the key.  It would seem to me that this method is a tad better at verifying that the email address and the key goes together.

Have I missed anything?

Cheers,

Yep, the authentication is basically the same.  The differences are more social:

(1) It's all centralized to the PGP Global Directory key.  If I trust that, I'll trust your sig whether I know you or not.  Whether I'm involved in bitcoin or not.  You get thousands of people to automatically assume your sig is valid, rather than one at a time.  You don't need a hundred page thread here on bitcoin.org that someone needs to go through one-by-one, sending emails to dozens or hundreds of users.

(2) I don't need to publish a 'voucher' to your identity anywhere.  This is what OpenPGP calls 'trust'

So OpenPGP has two inter-related concepts: validity and trust.  Validity means that the key has been authenticated somehow.  Trust indicates that you trust this person to generate signatures correctly, by whatever your standard of correctness is.

With these two elements in place, the Web-of-Trust kicks in.  It starts with keys that you have explicitly flagged as valid.  Then based on the trust you've assigned to these keys (run 'gpg --update-trustdb' if you haven't already), it determines that several keys they've signed are valid.  It repeats this for five layers, and that's all the keys where you can validate messages without seeing that "WARNING!!! Untrusted ...." error.

People who are really into the Web-of-trust think the proper way to sign a key is to verify the fingerprint in person (or on the phone/skype if you recognize their voice) and provide photo id to establish a real-world person's identity.  Like I said, everyone needs to define their own trust model, so it's not wrong to sign keys like people are doing here.  But it may cause someone else who validates your key to mark your key as valid, but untrusted to issue signatures, which excludes you from their web of trust calculations.

One way around this is to issue local signatures.  Local signatures work just the same as normal signatures, but the CANNOT be exported to keyservers.

I'm pretty confident that Ian's key is good.  I run:

gpg --lsign <<IANS_KEY_ID>>

And flag him as perhaps MODERATELY trusted.  Now his signatures factor into my trust calculations, but I'm not making any representations to the outside world, since I haven't done 'proper' authentication.

This is fine, but gets to be a pain if you use multiple computers, or need to re-create your keyring, since this signature doesn't live on the keyservers.
Ryland R. Taylor-Almanza
Hero Member
*****
Offline Offline

Activity: 812



View Profile
May 30, 2011, 11:42:22 PM
 #50

mines on the pgp global directory now.
Ryland R. Taylor-Almanza
Hero Member
*****
Offline Offline

Activity: 812



View Profile
June 01, 2011, 03:58:30 AM
 #51

We going to let this die? This is now a game to me, and I don't want to stop playing.
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 01, 2011, 04:44:14 AM
 #52

Perhaps all the people who want in on this are alrady in?  Wink

Klaus Alexander Seistrup
http://about.me/kseistrup
The Script
Sr. Member
****
Offline Offline

Activity: 336



View Profile
June 03, 2011, 02:09:29 AM
 #53

Not quite.  I want in, I'm still trying to figure out what the hell I'm doing.  I'm reading through the GNUPG Quick Start but even that is like trying to read another language.  I just learned about PGP a few days ago and am still trying to figure out the procedures.  So far I've created a key in Ubuntu using the "Passwords and Encryption Keys" program which I believe is part of the Seahorse front end package for GNUPG.  So now, how do I use this to encrypt emails, sign other people's keys, etc?  Also, where are these alleged online key directories?  I can't find them.  Sad  Help me and I will sign all your keys.

The Script
Sr. Member
****
Offline Offline

Activity: 336



View Profile
June 03, 2011, 02:14:38 AM
 #54

Ok, I found Jason Keith in the PGP directory and added his key to my key ring.  Hmmm.  Progress.
FatherMcGruder
Sr. Member
****
Offline Offline

Activity: 322



View Profile WWW
June 03, 2011, 02:23:41 AM
 #55

Not quite.  I want in, I'm still trying to figure out what the hell I'm doing.  I'm reading through the GNUPG Quick Start but even that is like trying to read another language.  I just learned about PGP a few days ago and am still trying to figure out the procedures.  So far I've created a key in Ubuntu using the "Passwords and Encryption Keys" program which I believe is part of the Seahorse front end package for GNUPG.  So now, how do I use this to encrypt emails, sign other people's keys, etc?  Also, where are these alleged online key directories?  I can't find them.  Sad  Help me and I will sign all your keys.
Make sure you have "Decrypt File" installed and restart Ubuntu.


Use my Trade Hill referral code: TH-R11519

Check out bitcoinity.org and Ripple.

Shameless display of my bitcoin address:
1Hio4bqPUZnhr2SWi4WgsnVU1ph3EkusvH
The Script
Sr. Member
****
Offline Offline

Activity: 336



View Profile
June 03, 2011, 02:49:37 AM
 #56

Thanks.  Sent you an email.
The Script
Sr. Member
****
Offline Offline

Activity: 336



View Profile
June 03, 2011, 03:08:14 AM
 #57

Code:
-----BEGIN PGP SIGNED MESSAGE----

I am Samuel Vanderwaal, and my key's fingerprint is 70F3 0E0D 3ABC 21BC 7E07 A8BB 7A22 FC9F 1A88 AC11. 
Send me an email with 1A88AC11 in the subject and bitcoin in the body and I will reply with an signed email.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBE3m/s4BCAC/IcTbreSpZgYBtTAbAYuxzNGSvMTgCzNkUPyY5t/+YVEywNu0
EY9o2rFtsh3f8G/c+kJj/dgg4o2kidIMjGMqeWxjBAzHllDDPai/w2o9WWEgJ9ca
X6s66+uc2ChuOzWz16aSmsGw//qQhzRYoxThT6VyM5E0kq4dGzLQC+qtT8X+iMjc
Sxf82mMOBvFZEXdc+ECA8THrcYpNadnNF66XkXrE4I+QgAo/W8isbi7O71jRIVz1
LFinEpNCcQz6hCJLGnXlE/mwTtiKRRmMwjT8yanDM7Y+EmOMnq5dS3/facwiCRMh
/ttDhjS4RapRgFo5usdcRcdVECVOBoc9GDW/ABEBAAG0L1NhbXVlbCBWYW5kZXJ3
YWFsIDxzYW11ZWwudmFuZGVyd2FhbEBnbWFpbC5jb20+iQE4BBMBAgAiBQJN5v7O
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB6IvyfGoisEUAJB/4u9WVW
zBrWKcYeVRlZfXEbvYpx02ZW0jQ/LC5q6Rf495xmQ02XzKOka+PcLzn8z786sxJa
AKViFgCBrXOCodt+QE/FHgZTC6v2gAilYcX7OxJPYcEUgdAhVCCmTJHXZOR/Slgj
GSWPq9rGmhkcMADmla3Vm5yq5SfhqDnLXMkHlGaYSlCrT38l9xYy47edQc9+PG12
+f4dzrBpeGyV8C+TgQRRU/dkuvEzDi6bYuTU/+GSZ/SNPk0LZ6F4P3jcx2P2i8ZR
Eb1lkHcd0N1naTKXSFwTnoInfcNv8JVl+S/p3Uvm5NICqFDUmY4D8b6iPOmAwOJT
n1GIVn35sxQHcLcnuQENBE3m/s4BCADXiJNDumql5oMTdMnfviGOac5GfRfdjib5
80ywbmgf4I1qxsyJocPy0QxrXJjKguOG5zgnil4Hcd86ZVjddYZLTwx16y0YhqAc
ZAwXtjyEDlOn1F2Lx6j7md0QVUAdPfUkJPULtHsEyCkJut9QH9A8eNg0NarnSKza
Hkqb0v1DTZBuL30Y9a7oHOZhRbWEmL/UvdyK5SAhL1sd/dU1xcTfOX/X9f2MDYH+
gdbS94RvDJxnyTS8LJJNIeOsk3ttmWMMIofRlAhs+yLIn2xy5PBsfC4yKGU/Txg9
8z3BsY3ma3sDXvpijKqdVl4516sxwxjhjTMbz9yliw4y3aZZPvc5ABEBAAGJAR8E
GAECAAkFAk3m/s4CGwwACgkQeiL8nxqIrBHlrgf+PApbsyOAdLsTEwfOHQXK8Qo7
RUyIHo2j6Ly+uGmg0OYV0uFrUrwq2uEYJWw41Lpz4p54TzFTcwvW8fBmrD4p+t0k
DeDwCmgsFOoeMokl7iLgMoWhfav5IO6qXHbbJERvv9hH+nyZLVDXrR6Bb1aUizuV
STw2NXnPB8As0X8yWLGN/fDl+pQKhqCAv8hSD/bwuBxkI2u9ZVKo7XYnnlMiYyCK
lx8uRtI6QN15ivlVuWz50hA4ZRk52hN3hErjxOgIatBQ7kvyk5cLKfA8G6UniiR4
N0F5iwHEmXiLUSZ2xfniyBaFgZYdelTaTUuRwxry7mudLd6EivjLgEpCdPHjmQ==
=6C/v
-----END PGP PUBLIC KEY BLOCK-----

The Script
Sr. Member
****
Offline Offline

Activity: 336



View Profile
June 03, 2011, 03:11:02 AM
 #58

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You can trust bitcoin.org to verify that I am the real theymos, and maybe you can trust me when I say that my real name is Michael Marquardt.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAk3YczIACgkQxlVWk9q1kecdaAD5AYDNdk1CqQignw0VfcffQtNv
k8d4bAf98vfcKvKGP0oA/3iPaObiKtw984EhqbKVM7Rljc40qKvaLvIEs6emkCWA
=ld+O
-----END PGP SIGNATURE-----

Public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC6555693DAB591E7

What is the difference between a PGP signature and a PGP Public key?  Is the signature a hash of the public key?  Also, why is Theymos' so damn long?  Different hash type? 
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
June 03, 2011, 04:18:00 AM
 #59

What is the difference between a PGP signature and a PGP Public key?  Is the signature a hash of the public key?  Also, why is Theymos' so damn long?  Different hash type? 

A signature verifies some data. That signature verifies that the text between "BEGIN PGP SIGNED MESSAGE" and "BEGIN PGP SIGNATURE" was actually written by me.

To verify my signature, you need my public key. If you want to send me an encrypted message, you also encrypt it to my public key.

That public key is long because it has lots of signatures. It's smaller if you remove the signatures:
http://theymos.com/theymos.txt
(This is the exact same public key.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 03, 2011, 05:14:54 AM
 #60

Code:
-----BEGIN PGP SIGNED MESSAGE----

I am Samuel Vanderwaal, and my key's fingerprint is 70F3 0E0D 3ABC 21BC 7E07 A8BB 7A22 FC9F 1A88 AC11. 
Send me an email with 1A88AC11 in the subject and bitcoin in the body and I will reply with an signed email.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBE3m/s4BCAC/IcTbreSpZgYBtTAbAYuxzNGSvMTgCzNkUPyY5t/+YVEywNu0
EY9o2rFtsh3f8G/c+kJj/dgg4o2kidIMjGMqeWxjBAzHllDDPai/w2o9WWEgJ9ca
X6s66+uc2ChuOzWz16aSmsGw//qQhzRYoxThT6VyM5E0kq4dGzLQC+qtT8X+iMjc
Sxf82mMOBvFZEXdc+ECA8THrcYpNadnNF66XkXrE4I+QgAo/W8isbi7O71jRIVz1
LFinEpNCcQz6hCJLGnXlE/mwTtiKRRmMwjT8yanDM7Y+EmOMnq5dS3/facwiCRMh
/ttDhjS4RapRgFo5usdcRcdVECVOBoc9GDW/ABEBAAG0L1NhbXVlbCBWYW5kZXJ3
YWFsIDxzYW11ZWwudmFuZGVyd2FhbEBnbWFpbC5jb20+iQE4BBMBAgAiBQJN5v7O
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB6IvyfGoisEUAJB/4u9WVW
zBrWKcYeVRlZfXEbvYpx02ZW0jQ/LC5q6Rf495xmQ02XzKOka+PcLzn8z786sxJa
AKViFgCBrXOCodt+QE/FHgZTC6v2gAilYcX7OxJPYcEUgdAhVCCmTJHXZOR/Slgj
GSWPq9rGmhkcMADmla3Vm5yq5SfhqDnLXMkHlGaYSlCrT38l9xYy47edQc9+PG12
+f4dzrBpeGyV8C+TgQRRU/dkuvEzDi6bYuTU/+GSZ/SNPk0LZ6F4P3jcx2P2i8ZR
Eb1lkHcd0N1naTKXSFwTnoInfcNv8JVl+S/p3Uvm5NICqFDUmY4D8b6iPOmAwOJT
n1GIVn35sxQHcLcnuQENBE3m/s4BCADXiJNDumql5oMTdMnfviGOac5GfRfdjib5
80ywbmgf4I1qxsyJocPy0QxrXJjKguOG5zgnil4Hcd86ZVjddYZLTwx16y0YhqAc
ZAwXtjyEDlOn1F2Lx6j7md0QVUAdPfUkJPULtHsEyCkJut9QH9A8eNg0NarnSKza
Hkqb0v1DTZBuL30Y9a7oHOZhRbWEmL/UvdyK5SAhL1sd/dU1xcTfOX/X9f2MDYH+
gdbS94RvDJxnyTS8LJJNIeOsk3ttmWMMIofRlAhs+yLIn2xy5PBsfC4yKGU/Txg9
8z3BsY3ma3sDXvpijKqdVl4516sxwxjhjTMbz9yliw4y3aZZPvc5ABEBAAGJAR8E
GAECAAkFAk3m/s4CGwwACgkQeiL8nxqIrBHlrgf+PApbsyOAdLsTEwfOHQXK8Qo7
RUyIHo2j6Ly+uGmg0OYV0uFrUrwq2uEYJWw41Lpz4p54TzFTcwvW8fBmrD4p+t0k
DeDwCmgsFOoeMokl7iLgMoWhfav5IO6qXHbbJERvv9hH+nyZLVDXrR6Bb1aUizuV
STw2NXnPB8As0X8yWLGN/fDl+pQKhqCAv8hSD/bwuBxkI2u9ZVKo7XYnnlMiYyCK
lx8uRtI6QN15ivlVuWz50hA4ZRk52hN3hErjxOgIatBQ7kvyk5cLKfA8G6UniiR4
N0F5iwHEmXiLUSZ2xfniyBaFgZYdelTaTUuRwxry7mudLd6EivjLgEpCdPHjmQ==
=6C/v
-----END PGP PUBLIC KEY BLOCK-----


It seems to me that you're missing something here.  Shouldn't there be both end-of-key and end-of-message?

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!