Silk Road forums
Discussion => Security => Topic started by: flufh3d on July 26, 2013, 05:08 am
-
A few of my go-to vendors have recently gone on small vacations and come back with new pgp keys.
Ive heard that this is a red flag and am curious how nervous i should be about ordering from them. Any input would be appreciated
-
that can have a lot of reasons.
his old key pair has expired
he lost the password to his key
the account ownership has changed hands (in whatever way)
his computer crashed and he doesn't know how to import his private key
you see it doesn't necessarily mean something bad. if i was you i'd probably just ask the vendor, and if i don't get a satisfying answer i'd deal with someone else.
cheers
-
that can have a lot of reasons.
his old key pair has expired
he lost the password to his key
the account ownership has changed hands (in whatever way)
his computer crashed and he doesn't know how to import his private key
you see it doesn't necessarily mean something bad. if i was you i'd probably just ask the vendor, and if i don't get a satisfying answer i'd deal with someone else.
cheers
Agreed.
P.S. I like you so far, ShApEsHiFtInGsHaPeS
-
that can have a lot of reasons.
his old key pair has expired
he lost the password to his key
the account ownership has changed hands (in whatever way)
his computer crashed and he doesn't know how to import his private key
you see it doesn't necessarily mean something bad. if i was you i'd probably just ask the vendor, and if i don't get a satisfying answer i'd deal with someone else.
cheers
If your vendor is guilty of any of the things just listed, stop buying from them immediately.
Changing PGP keys is definitely a red flag and you should hold off on ordering from them until you see how the vendor acts for a while. If everything is normal and you feel comfortable, then order.
This will keep you safe from two things; being scammed and coming into contact with possible LE.
What do you lose from not ordering? Nothing, there are plenty of other vendors.
Security is your most important resource here.
-
There are many valid reasons for changing. It's actually much better for security to have keys expire. Equipment can be destroyed periodically as well, requiring replacement with fresh software.
-
new key should be signed with old key to prove new key was created by person with access to old key password.
ask vendor to sign his new key. should be standard practice.
-
Vendors should always have 2 keys. One key is set to never expire and is only used for the purpose of verifying the transition of keys. The 2nd is one which should have an expiry date although not neccersary. This ensures if one of the keys are missing, then the vendor can still be positively identified. Of course, a vendor should always keep several encrypted backups of their PGP keys and for example, bury some, keep some in a hard to reach public place (tied to a tree branch 20ft up maybe?), in a double MBB under the substrate of a fish tank, in the internal walls of the house behind plug sockets for example (keep a safe distance between them to prevent possible EMFs) etc.
-
new key should be signed with old key to prove new key was created by person with access to old key password.
ask vendor to sign his new key. should be standard practice.
^^^^ that ^^^^^ seems simple but guess not. good advice
-
Vendors should always have 2 keys. One key is set to never expire and is only used for the purpose of verifying the transition of keys. The 2nd is one which should have an expiry date although not neccersary. This ensures if one of the keys are missing, then the vendor can still be positively identified. Of course, a vendor should always keep several encrypted backups of their PGP keys and for example, bury some, keep some in a hard to reach public place (tied to a tree branch 20ft up maybe?), in a double MBB under the substrate of a fish tank, in the internal walls of the house behind plug sockets for example (keep a safe distance between them to prevent possible EMFs) etc.
I love you StExo. Just when you think you've read all there is to know about PGP, something new pops up. Thanks ;)