Withdraw Funds with PGP key.

[fireworks]

It is possible to sign messages with a PGP key. I think it might be a good idea to offer a short pass code which if the account holder signs verifies that the pgp key is theirs (and shows they are competent with pgp).

If they have a verified pgp key then this could be another method of verification for purchases and withdrawals. This would be much more secure than a key which is essentially just another password and only marginally more secure to phishing or MITM attacks.

[Dread Pirate Roberts]

We have actually already addressed this problem in our developments which offers a phishing proof login, meaning even if an adversary knows your password and username they will still not be able to access your account. I believe adding this at the access level is important rather than doing it only for withdrawals as many customers do not encrypt their address, therefore in the situation they could not access funds due to withdrawal security you could be put in a worse situation if they decide to save customer addresses and use that as leverage over vendors/staff. However this additional security feature must be turned on and is not enabled by default so it is the responsibility of the vendor to safeguard his/her account.

[fireworks]

Using PGP signatures or something else?

[Dread Pirate Roberts]

Without going into the technical aspects, you will be presented with a PGP encrypted message with the public key you provide, you must decrypt this message and paste it as plaintext into a second box provided. We feel this is more secure than asking for a PGP signed message.

[This_is_not_NCA]

Without going into the technical aspects, you will be presented with a PGP encrypted message with the public key you provide, you must decrypt this message and paste it as plaintext into a second box provided. We feel this is more secure than asking for a PGP signed message.

That is good. You should use the same mechanism for sensitive changes that previously may have required a PIN.

[Tessellated]

This really is a great feature. My PGP identity is just that, an identity. I have no fear that someone is going to phish my account now that it requires access to my private key.

Passwords have been a flawed concept for some time and this is a leap forward in security. Phishing sites will not even be worth building anymore, no reason to send out annoying spam/scam messages to get you to go there either.

[StevieHyperD]

I agree, 2 step verification with a pgp key is frigging genius, I wish I had thought of it.

I get this feeling it is going to become the norm across many sites soon in lieu of google authenticator etc. Not seen it before anywhere, if SR was the first to do this would be a good example of the small and nimble pushing innovation.

[Tessellated]

I agree, 2 step verification with a pgp key is frigging genius, I wish I had thought of it.

I get this feeling it is going to become the norm across many sites soon in lieu of google authenticator etc. Not seen it before anywhere, if SR was the first to do this would be a good example of the small and nimble pushing innovation.

I first saw it on a project called BitWasp. It was an attempt to make a SR like marketplace with open source software, the project was never finished.

[PrincesSara]

We have actually already addressed this problem in our developments which offers a phishing proof login, meaning even if an adversary knows your password and username they will still not be able to access your account. I believe adding this at the access level is important rather than doing it only for withdrawals as many customers do not encrypt their address, therefore in the situation they could not access funds due to withdrawal security you could be put in a worse situation if they decide to save customer addresses and use that as leverage over vendors/staff. However this additional security feature must be turned on and is not enabled by default so it is the responsibility of the vendor to safeguard his/her account.

why do you think it would escallate to the level of vendors turning on their customers so quickly? Can't customer service mediate teh situation sooner than that? Or was the typical complaint at SR1.0 accompanied by a threat of "you better fix this soon or else ill dox all my customers!!!!!"

[StevieHyperD]

I first saw it on a project called BitWasp. It was an attempt to make a SR like marketplace with open source software, the project was never finished.

Kudos to the BitWasp devs.

[Tessellated]

I first saw it on a project called BitWasp. It was an attempt to make a SR like marketplace with open source software, the project was never finished.

Kudos to the BitWasp devs.

I strongly believe that software can be made to allow any vendor to set up their own site. Each site can export datafiles containing inventory, payment addresses, and feedback. By using PGP signatures these files can be published and imported by other markets. This would allow the creation a truly federated and interactive marketplaces.

If you used the same PGP key to login to marketplace A as you did for marketplace B then market B can read the signed feedback from market A and import it for you.

If you were on my market which sold LSD and MDMA I could also list DMT from another vendor who I trust I could just import their inventory file complete with payment addresses. I would then send him the order file in exchange for a commission.

Sites with no products of their own could import many people's data files has host their products for them, removing the need for a vendor to manage their own site.

Escrow could be decentralized too with a similar system or the federated feedback system could allow trust relationships.

There are nothing tecnilogically new in these ideas, the just need to be implemented and implemented well.

[StevieHyperD]

I strongly believe that software can be made to allow any vendor to set up their own site. Each site can export datafiles containing inventory, payment addresses, and feedback. By using PGP signatures these files can be published and imported by other markets. This would allow the creation a truly federated and interactive marketplaces.

If you used the same PGP key to login to marketplace A as you did for marketplace B then market B can read the signed feedback from market A and import it for you.

If you were on my market which sold LSD and MDMA I could also list DMT from another vendor who I trust I could just import their inventory file complete with payment addresses. I would then send him the order file in exchange for a commission.

Sites with no products of their own could import many people's data files has host their products for them, removing the need for a vendor to manage their own site.

Escrow could be decentralized too with a similar system or the federated feedback system could allow trust relationships.

There are nothing tecnilogically new in these ideas, the just need to be implemented and implemented well.

Its all doable, and probably more efficiently than that, but most talented devs have day jobs and other open source projects that consume most of their time unfortunately. However I am sure one amongst us will rise up to the challenge

[Tessellated]

Its all doable, and probably more efficiently than that, but most talented devs have day jobs and other open source projects that consume most of their time unfortunately. However I am sure one amongst us will rise up to the challenge

I used to have a day job, I have learned there are better oppotunities out there. I am sure a very talented developer will realize this is a $100 million idea.