Silk Road forums
Discussion => Security => Topic started by: Ro-Jaws on June 27, 2013, 05:33 pm
-
So I have been messaging a vendor I haven't used before over the last few days, just to see what sort of communication and product they have but this is where the problems start. I use the gpg.conf that astor put up a while ago, which among other things includes the throw-keyids, so when the vendor replies that he cannot read my message I naturally suggest that perhaps he has another key or 2 on the same keyring and has forgotten to remove them. The reply is that he has loads of keys on the same ring.
My question therefore is how indicative is this of their general attitude? Obviously there cannot be a definitive answer here but I want to avoid being overly harsh and dismissing (what may be a great) a vendor out of hand. However to me this seems to be ,at best, sloppy and maybe even downright unsafe. Is it reasonable to infer that they will take an equally lax view when it comes to shredding my address after ordering? wearing gloves when packing? packing product properly so it wont fall out or be seen?
Is any of that even verifiable?
Oh and whatever I do decide, what do you reckon as to saying something to the vendor about this? I'm not comfortable lecturing vendors as I like to think that anyone (scammers excepted) who is going to fork out $500 and risk serious jail time would educate themselves far more thoroughly than I would but good vendors are better for everyone involved.
Its a dilemma
-
I'm not entirely sure how this is unacceptable...? Are you suggesting that every private key should be kept in its own keyring file? He can't very well just destroy them -- what if he needs to decrypt something using one of them in the future...?
Also... I don't see why he can't decrypt something that was encrypted with --throw-keyids. I can just fine... are you positive you encrypted for the right key? I was under the impression it tried all known keys?
-
I'm not sure I'd call it unacceptable, more something that gives me pause for thought.
Its not that I think every key should be separate, rather that the SR vendor key isn't one that should simply be in with all his other keys, if for no other reason than the public keys all tend to be of the form [vendorname]@silkroad.com. Isn't having a definitive link from you to silkroad something to avoid? especially for a vendor?
I thought that about using the wrong key as well, so it was in fact 2 messages I sent. The second one was double checked so I'm sure it was right. with -throw-keyids it will indeed be trying every key, from what I can tell in the messages he seems to have given up after the first few attempts assuming the message had been encrypted incorrectly.
-
PGP is desgined to handle multiple private keys. I personally have a dedicated keyring and infact dedicated OS for my Tessellated identity but if he knows how to use PGP then it should not be an issue.
That being said he should know how to tell his PGP which private key to use.
It just occured to me that you can "probe" someones keyring to see if they have more than one private key by sending such a message.