Silk Road forums
Discussion => Security => Topic started by: Party Girl on November 28, 2012, 03:22 pm
-
Have I lost my mind??? Don't answer that! But a customer is telling me he done 40 ENCRYPTED transactions without EVER providing his public key. Is this possible? I thought the entire concept was based on public and private keys.
If I never enter a customers public key, saved it, and then imported it: how would GPG work? :-X
Luv,
PG
-
privnote...maybe? In order for his customers to be able to send him PGP encrypted messages, that he could read, they would have to be encrypted using a key that he has stored on his computer. Some sort of key needs to be used to"activate" encryption/decryption. If there is no key, there is only plain text. Maybe he has done 40 plain text transactions. I can admit that I probably have had that many come through my inbox already :-/
-
A customer does NOT have to provide the vendor with his (or her ;))public key, in order to encrypt a message to a vendor.
For example: When placing an order, I (as a customer) import the vendor's public key into PGP, and encrypt my address using their public key. I do NOT have to sign it with my key in order for the vendor to read it; he can read it because it's signed with HIS public which is connected to HIS private key.
You import a customer's key into PGP in order to encrypt a message to them. If it is not necessary to send an encrypted message in reply, then you have no need for their public key.
Hope this helps.
-
There's one situation where you need the buyer's public key -- if the buyer signs the message as well as encrypts it, some (or most, or all -- not really sure) software chokes and doesn't decrypt the message instead of just decrypting it before telling you it can't verify the signature as authentic.
-
A customer does NOT have to provide the vendor with his (or her ;))public key, in order to encrypt a message to a vendor.
For example: When placing an order, I (as a customer) import the vendor's public key into PGP, and encrypt my address using their public key. I do NOT have to sign it with my key in order for the vendor to read it; he can read it because it's signed with HIS public which is connected to HIS private key.
You import a customer's key into PGP in order to encrypt a message to them. If it is not necessary to send an encrypted message in reply, then you have no need for their public key.
Hope this helps.
Super helpful!!!!!!! I stand corrected! A test just went through perfectly. I think the reason I was so focused on obtaining the customers public key is I will never send anything of importance without GPG. So if I don't have their public key, they miss important information.
Luv,
PG
-
You can send someone an encrypted message using their key. The only reason they would need YOUR key is if they want to send an encrypted message back to you.
-
Honest, there really is one time they need the public key. I'm not making it up -- I went to exchange messages with a vendor who didn't have my public key, and he wasn't able to decrypt my message because I signed it at the same time I encrypted it. I almost got the idea in my head it wasn't really the vendor anymore before I figured out the error.
I suppose nobody bothers signing their messages though.
-
You make excellent points, Guru. Excellent points indeed -- I hadn't considered that. Thank you :)
I suppose I let the convention of encrypting your public key along with your first message influence me more than it should have. It's funny how things we don't really arrive at on our own become immutable in the mind... why not just paste the damn thing after the message anyway. I have no clue. Because I read somewhere that's not the convention.
Anyway, thanks for speaking up and pointing out my mistake. I tend to think that if/once I'm caught in possession of something, nobody's going to care what I said to whom. They've got their charge and whether I wrote a letter a month ago to some random person who knows where doesn't have any bearing on that.
But you're absolutely right, absolutely right -- no need to incriminate myself or be careless for no good reason. :)
-
That said, I would urge vendors to remove buyers' keys from the PGP keyrings after the conclusion of any transactions. The reason for this is that, if you ever get busted, your keyrings would provide a list of customers you have done business with, if you have not kept your keyrings secure nor kept them pruned.
Guru
A rule to LIVE by! Great advice, Guru!