Silk Road forums
Discussion => Silk Road discussion => Topic started by: krettzle on August 08, 2012, 12:01 pm
-
Sorry if this has been answered, I didn't read anything about what to do when placing an order in the tutorials I had read.
If I have already sent a message to the seller with my address only (encrypted), should I just leave it at that, or should I send him my public PGP too?
-
As a seller I would prefer that you send your pgp key in the order. Attach it after the encrypted block that is your address.
I have had some people put there address and the public key block in the message before encryption. This is not a problem most of the time but if you sign the message my software refuses to display the decrypted text because it does not have the key on file and assumes the text can not be trusted. I can get around this by using the command line but it is extra steps that require I save the message on my drive before decrypting. Otherwise the software does it all in memory and I have nothing written out to the drive.
-
As a seller I would prefer that you send your pgp key in the order. Attach it after the encrypted block that is your address.
I have had some people put there address and the public key block in the message before encryption. This is not a problem most of the time but if you sign the message my software refuses to display the decrypted text because it does not have the key on file and assumes the text can not be trusted. I can get around this by using the command line but it is extra steps that require I save the message on my drive before decrypting. Otherwise the software does it all in memory and I have nothing written out to the drive.
Well....I did sign my address when encrypting, and forgot to include my pgp key.
Should I write the seller a new message with my public key, or should I just keep this as a reminder, when signing a key always to include my own pgp key?
-
^ what jameslink2 said, give the vendor your public key so they are able to reply to you with an encrypted message if they want. It's like exchanging phone numbers.
Also, join PGP Club :)
Link is in the signature.
P.S. There is literally no point in signing a message unless a vendor already has your public key from before.
-
Well....I did sign my address when encrypting, and forgot to include my pgp key.
Should I write the seller a new message with my public key, or should I just keep this as a reminder, when signing a key always to include my own pgp key?
Yes, you can send your key to the seller in a message as well. I would just to be safe.
I agree Pine, I would prefer that all communication is encrypted.
Some just want the address or sensitive information but I personally want everything encrypted. The more that is encrypted the harder it is for someone to decided which message is worth trying to break the decryption on and which is not. Along the same lines as shredding sensitive documents. If the only documents you shred are the sensitive ones then it would be worthwhile to try to rebuild the documents from the pieces. If you shred your sensitive documents and your junk mail then there is a lot of junk/garbage that would make it not worth the time to reconstruct.
-
Strictly speaking, PGP/GPG is entirely correct to balk at using untrusted keys. The whole idea behind the web of trust is to help avoid man-in-the-middle (MITM) attacks. Given that we're all anonymous/pseudonymous here, the web of trust does not have as much relevance for us, as it does for regular, non-anonymous folks. Accordingly, you can instruct GPG to always trust keys by adding the always-trust command to your gpg.conf file. Alternatively, you can add --always-trust to your command-line.
Guru
Guru,
I am using KGpg under the KDE interface and although I can trust keys in the GUI it will not display a decrypted message if it was signed and the signing public key is not in your keyring. There appears to be no way to disable that function.
-
^ what jameslink2 said, give the vendor your public key so they are able to reply to you with an encrypted message if they want. It's like exchanging phone numbers.
Also, join PGP Club :)
Link is in the signature.
P.S. There is literally no point in signing a message unless a vendor already has your public key from before.
Pine, I would argue that PGP-signing a message, particularly one where illegal conduct is engaged in (such as ordering contraband) is completely inappropriate (at least as far as the customer is concerned.)
My reasons for so arguing are that digital signatures (like PGP-signatures) are non-repudiable. Once made, they cannot later be disavowed. Digital signatures provide positive proof-of-authorship, even in a court of law. If memory serves, Bill Clinton was the first President to use a digital signature to sign an Act of Congress into law.
Digital signatures, on the part of customers only serve to undermine any potential legal defence, if the shit should ever hit the fan, because the customer is then put in a position where they simply CANNOT deny that they ordered the goods, or that the order was made by someone else posing as them. Digital signatures utterly destroy plausible deniability.
Guru
Quite right, I shall explicitly advise people not to use signed PGP messages to vendors in future, only regular PGP encrypted ones.
-
Well....I did sign my address when encrypting, and forgot to include my pgp key.
Should I write the seller a new message with my public key, or should I just keep this as a reminder, when signing a key always to include my own pgp key?
Yes, you can send your key to the seller in a message as well. I would just to be safe.
I agree Pine, I would prefer that all communication is encrypted.
Some just want the address or sensitive information but I personally want everything encrypted. The more that is encrypted the harder it is for someone to decided which message is worth trying to break the decryption on and which is not. Along the same lines as shredding sensitive documents. If the only documents you shred are the sensitive ones then it would be worthwhile to try to rebuild the documents from the pieces. If you shred your sensitive documents and your junk mail then there is a lot of junk/garbage that would make it not worth the time to reconstruct.
Excatly, an apt metaphor. The larger the anonymity set the better.
To wit:
The literal definition of anonymity is a state of namelessness. A more technical definition of anonymity is the state of being indistinguishable from a given set size. As an example, imagine a closed communication interface with several hundred members. If all of the members use the name 'anonymous' to make their posts, they are indistinguishable from each other based on naming information (however, they may not be anonymous based off IP information). However, they are not indistinguishable from those who are not a part of the system. If two people have access to an anonymous suggestion box, any suggestion in the box may be anonymous but the set size is two. The higher your set size is, the more anonymous you are.
-- Project PolyFront