Silk Road forums

Discussion => Security => Topic started by: sativo on November 17, 2012, 07:41 pm

Title: PGP questions when buying from vendor
Post by: sativo on November 17, 2012, 07:41 pm
When we buy from a vendor, we import their keys into PGP and write out our address in the clipboard, then encrypt it using their key right?

My question is, do we include our own key in the message, and are we meant to click "sign" along with encrypt?

Thanks
Title: Re: PGP questions when buying from vendor
Post by: WinterMoon on November 17, 2012, 07:54 pm
When we buy from a vendor, we import their keys into PGP and write out our address in the clipboard, then encrypt it using their key right?

My question is, do we include our own key in the message, and are we meant to click "sign" along with encrypt?

Thanks

Yes, include your own key in the message.  Here is the correct sequence:

Import vendor key into pgp
Write out your addy on clipboard
Append your key (try right clicking your key & select Append)
Encrypt the entire message

Signing:  I know nothing about signing but I have ordered thru the Marketplace without signing & sent encrypted PMs without signing, never any probs. 

Good luck!
Title: Re: PGP questions when buying from vendor
Post by: farmer1 on November 17, 2012, 09:18 pm
If you wish for the vendor to respond to you encrypted then include your public key inside your encrypted message.

Do not sign. When you 'sign' a message it means that the vendor can only decrypt your message if he has already imported your public key. This is the number one issue I have when decrypting customer messages. Additionally, when you sign you are proving that you did send the message, and this could be used as evidence against you if the vendor's data was ever compromised. Not signing helps maintain your 'plausible deniability'. Nomad Bloodbath has a good post talking about this issue if you care to search it out.
Title: Re: PGP questions when buying from vendor
Post by: Nightcrawler on November 17, 2012, 09:41 pm
When we buy from a vendor, we import their keys into PGP and write out our address in the clipboard, then encrypt it using their key right?

My question is, do we include our own key in the message, and are we meant to click "sign" along with encrypt?

Thanks

You can include a copy of your own key under the address information that you send to the vendor.

THIS IS IMPORTANT -- NEVER, EVER, SIGN ANYTHING RELATED TO A TRANSACTION WITH A VENDOR.

Once a message is signed, and the signature verifies, it is impossible to disavow such a message as a forgery.  Why do you think that DPR signs his messages?  He signs them precisely to assure all of us that the messages are genuine, and not forged.  If a vendor were ever busted, and a copy of your signed message fell into the hands of the authorities, this would provide them with a signed confession to a criminal offense.  That is why you never sign anything that could be incriminating in the slightest degree.

Nightcrawler
Title: Re: PGP questions when buying from vendor
Post by: CoolGrey on November 18, 2012, 09:38 pm
Good point nightcrawler. However they would need to proof that you -and only you- actually own that private key. Is that a likely risk?

Still I agree with you. You have to be careful with the things you append your signature too. Just like in real life really.