[OT] Where are your public keys people?

newer
Happy 4 July!!!

older
Comic Book "Religion - Ruining...

Bastiani Fortress

13 Jul 2016 13 Jul '16

5:58 a.m.

Attachments:

attachment.html (text/html — 338 bytes)

Show replies by date

Александр

13 Jul 13 Jul

6:14 a.m.

2016-07-13 8:58 GMT+03:00 Bastiani Fortress :

...

you just sign your messages to look cool :)

Exactly.

stef

6:44 a.m.

On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...

keybase, or do you just sign your messages to look cool :)

it doesn't even look cool, it just shows how much you don't understand signatures and their purposes. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Mirimir

7:04 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/13/2016 12:44 AM, stef wrote:

...

On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

it doesn't even look cool, it just shows how much you don't understand signatures and their purposes.

OK, let's see if you can spoof my email address, and produce a signed message with a valid signature :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXhegLAAoJEGINZVEXwuQ+rWkH/0NIgwqxlGVVNX+cOgVbvABt dfUnwJcWIOVN+GsV6BQaOXF4FnVP4SYXnmmoL3RnrZA4b+pXDSAQxpyeVxsrIFCw dYNmwUOoy/cIsy16CTJufUqQqbDGiCXfK3wpmlgFxzGccTG3zS+gSmh/Po77IFsm nnkuHKSlu1VgvtmXa/FTtg4KSrtS2jg+Vjh7sFGYbXK8maGQUuLVWg7blPtFcOod Xca40Iy8SAj4rwhUMEdE43Au1fo523OpCPqubW0uSGlpPbrzPNfixHENFolBGoZP h4a0bRTdMZYfSbxhpeFh6/5QkgsBl80JS3w90kieUtDWn32HYuUEXqIpujBv2ro= =P9K+ -----END PGP SIGNATURE-----

juan

7:32 a.m.

On Wed, 13 Jul 2016 01:04:59 -0600 Mirimir wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 07/13/2016 12:44 AM, stef wrote:

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

it doesn't even look cool, it just shows how much you don't understand signatures and their purposes.

OK, let's see if you can spoof my email address, and produce a signed message with a valid signature :)

The thing is, who would bother spoofing your messages? (nothing personal) Plus, beig able to DENY that you wrote something looks like one of the few nice features that email has...

...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXhegLAAoJEGINZVEXwuQ+rWkH/0NIgwqxlGVVNX+cOgVbvABt dfUnwJcWIOVN+GsV6BQaOXF4FnVP4SYXnmmoL3RnrZA4b+pXDSAQxpyeVxsrIFCw dYNmwUOoy/cIsy16CTJufUqQqbDGiCXfK3wpmlgFxzGccTG3zS+gSmh/Po77IFsm nnkuHKSlu1VgvtmXa/FTtg4KSrtS2jg+Vjh7sFGYbXK8maGQUuLVWg7blPtFcOod Xca40Iy8SAj4rwhUMEdE43Au1fo523OpCPqubW0uSGlpPbrzPNfixHENFolBGoZP h4a0bRTdMZYfSbxhpeFh6/5QkgsBl80JS3w90kieUtDWn32HYuUEXqIpujBv2ro=

The hell is this gibberish? Is your computer broken??

...

=P9K+ -----END PGP SIGNATURE-----

Mirimir

8:19 a.m.

On 07/13/2016 01:32 AM, juan wrote:

...

On Wed, 13 Jul 2016 01:04:59 -0600 Mirimir wrote:

On 07/13/2016 12:44 AM, stef wrote:

...
...
...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

it doesn't even look cool, it just shows how much you don't understand signatures and their purposes.

OK, let's see if you can spoof my email address, and produce a signed message with a valid signature :)

...
The thing is, who would bother spoofing your messages? (nothing personal)

Sure of that?

...

...
Plus, beig able to DENY that you wrote something looks like one of the few nice features that email has...

Why would I want to deny having written something as Mirimir? I'd just use a different account.

stef

9:33 a.m.

On Wed, Jul 13, 2016 at 01:04:59AM -0600, Mirimir wrote:

...

On 07/13/2016 12:44 AM, stef wrote:

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

it doesn't even look cool, it just shows how much you don't understand signatures and their purposes.

OK, let's see if you can spoof my email address, and produce a signed message with a valid signature :)

ok, i see you understand the primary goal of pgp signatures. i also see, that usually you don't sign here your messages, both of this i approve of. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Mirimir

9:54 a.m.

On 07/13/2016 03:33 AM, stef wrote:

...

On Wed, Jul 13, 2016 at 01:04:59AM -0600, Mirimir wrote:

...
On 07/13/2016 12:44 AM, stef wrote:

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

it doesn't even look cool, it just shows how much you don't understand signatures and their purposes.

OK, let's see if you can spoof my email address, and produce a signed message with a valid signature :)

ok, i see you understand the primary goal of pgp signatures. i also see, that usually you don't sign here your messages, both of this i approve of.

OK, sorry to be touchy. You were criticizing someone else, after all. I thought that you were arguing that signatures didn't prevent forgery.

Georgi Guninski

4:49 p.m.

New subject: [OT] Why kill a private key publicly?

On Wed, Jul 13, 2016 at 01:04:59AM -0600, Mirimir wrote:

...

OK, let's see if you can spoof my email address, and produce a signed message with a valid signature :)

Spoofing your email detectably is trivial, e.g. with netcat by hand. If I could sign in your name, why kill your private key publicly, scaring gpg lusers? Wouldn't it be better for me to profit from your private key? IMHO for the majority of lusers, getting their private key is not related to crypto, more to apps sploits. lol, just trolling ;) @juan: denying you wrote something signed is possible too. just revoke the key, claiming hax0r attack. for plausibility you can leak the private signing key (assuming it is worthless as it should be on ML).

Mirimir

14 Jul 14 Jul

3:42 a.m.

New subject: [OT] Why kill a private key publicly?

On 07/13/2016 10:49 AM, Georgi Guninski wrote:

...

On Wed, Jul 13, 2016 at 01:04:59AM -0600, Mirimir wrote:

...
OK, let's see if you can spoof my email address, and produce a signed message with a valid signature :)

Spoofing your email detectably is trivial, e.g. with netcat by hand.

For sure.

...

If I could sign in your name, why kill your private key publicly, scaring gpg lusers? Wouldn't it be better for me to profit from your private key?

For lulz :) And anyway, Mirimir has nothing worth stealing except reputation.

...

IMHO for the majority of lusers, getting their private key is not related to crypto, more to apps sploits.

True. Not so trivial, though.

...

lol, just trolling ;)

...

@juan: denying you wrote something signed is possible too. just revoke the key, claiming hax0r attack. for plausibility you can leak the private signing key (assuming it is worthless as it should be on ML).

stef

13 Jul 13 Jul

7:13 a.m.

On Wed, Jul 13, 2016 at 08:44:53AM +0200, stef wrote:

...

On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

if you'd know how to use ml archives you'd have found my similar question from 1-2 years ago and the answers to that. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Mirimir

7:32 a.m.

On 07/13/2016 01:13 AM, stef wrote:

...

On Wed, Jul 13, 2016 at 08:44:53AM +0200, stef wrote:

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

if you'd know how to use ml archives you'd have found my similar question from 1-2 years ago and the answers to that.

I'll take that as a "no", until the message shows up :)

stef

9:34 a.m.

On Wed, Jul 13, 2016 at 01:32:04AM -0600, Mirimir wrote:

...

On 07/13/2016 01:13 AM, stef wrote:

...
On Wed, Jul 13, 2016 at 08:44:53AM +0200, stef wrote:

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

if you'd know how to use ml archives you'd have found my similar question from 1-2 years ago and the answers to that.

I'll take that as a "no", until the message shows up :)

you're not worth my time. sorry. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Mirimir

9:41 a.m.

On 07/13/2016 03:34 AM, stef wrote:

...

On Wed, Jul 13, 2016 at 01:32:04AM -0600, Mirimir wrote:

...
On 07/13/2016 01:13 AM, stef wrote:

...
On Wed, Jul 13, 2016 at 08:44:53AM +0200, stef wrote:

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

if you'd know how to use ml archives you'd have found my similar question from 1-2 years ago and the answers to that.

I'll take that as a "no", until the message shows up :)

you're not worth my time. sorry.

I still take that as a no ;)

Zenaan Harkness

10:21 a.m.

On Wed, Jul 13, 2016 at 11:34:43AM +0200, stef wrote:

...

On Wed, Jul 13, 2016 at 01:32:04AM -0600, Mirimir wrote:

...
On 07/13/2016 01:13 AM, stef wrote:

...
On Wed, Jul 13, 2016 at 08:44:53AM +0200, stef wrote:

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...
keybase, or do you just sign your messages to look cool :)

if you'd know how to use ml archives you'd have found my similar question from 1-2 years ago and the answers to that.

I'll take that as a "no", until the message shows up :)

you're not worth my time. sorry.

Oh but it's worth the rest of our time - please, do demonstrate. That would be very cool, Mirimir can have a sob, and we can all have a laugh looking on :) Definitely, definitely worth the time :D

Rayzer

3:12 p.m.

On 07/13/2016 02:34 AM, stef wrote:

...

you're not worth my time. sorry.

So this shit is worthy of my time 'stef'? You said there was some post on the topic. Produce it. I blocked EIGHT PEOPLE on twitter yesterday for critiquing one of my tweets, with source of info, while categorically failing to produce sources requested for their opposing statements. That's the way legitimate posters 'roll'. I said produce the source, and ONE even went as far as to 'ignore/mute' me and actually had the GALL to say so in the convo. THAT ONE earned a spam report (not that it does a fuckload of good). Rr

John Newman

5:52 p.m.

On Jul 13, 2016, at 2:44 AM, stef wrote:

...

...
On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote: keybase, or do you just sign your messages to look cool :)

it doesn't even look cool, it just shows how much you don't understand signatures and their purposes.

-- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Your sites SSL cert install is fucked up. Chaining issue I think, install the intermediary cert. John

stef

18 Jul 18 Jul

12:03 a.m.

On Wed, Jul 13, 2016 at 01:52:42PM -0400, John Newman wrote:

...

Your sites SSL cert install is fucked up. Chaining issue I think, install the intermediary cert.

nope: https://www.ssllabs.com/ssltest/analyze.html?d=www.ctrlc.hu it's a CACert and it uses sha1 for the signature hash algo, call it sentimentality, but it takes some time for me to part with this beautiful idea, that sadly died. i guess i'll have to jump on the next SOP (letsencrypt), which by it's success became a much juicier target than CACert ever was. there'll be an update soon for this cert. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

stef

12:18 a.m.

On Mon, Jul 18, 2016 at 02:03:51AM +0200, stef wrote:

...

On Wed, Jul 13, 2016 at 01:52:42PM -0400, John Newman wrote:

...
Your sites SSL cert install is fucked up. Chaining issue I think, install the intermediary cert.

nope: https://www.ssllabs.com/ssltest/analyze.html?d=www.ctrlc.hu

it uses sha1 for the signature hash algo,

err, md5 -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Mirimir

13 Jul 13 Jul

7:01 a.m.

On 07/12/2016 11:58 PM, Bastiani Fortress wrote:

...

Hey all! Just a simple question out of curiosity; i see pgp signed mails going round in the mailing list, but where do you keep your public keys, and how am i supposed to get them? Does the mailing list have its own keybase, or do you just sign your messages to look cool :)

(Also, here, have a cookie: https://xkcd.com/1181/)

I started signing posts to tor-talk to make a point. And also, I was feeling paranoid after someone started spoofing email addresses :) For me, see https://keybase.io/mirimir :)

Rayzer

3:03 p.m.

On 07/13/2016 12:01 AM, Mirimir wrote:

...

On 07/12/2016 11:58 PM, Bastiani Fortress wrote:

...
Hey all! Just a simple question out of curiosity; i see pgp signed mails going round in the mailing list, but where do you keep your public keys, and how am i supposed to get them? Does the mailing list have its own keybase, or do you just sign your messages to look cool :)

(Also, here, have a cookie: https://xkcd.com/1181/) I started signing posts to tor-talk to make a point. And also, I was feeling paranoid after someone started spoofing email addresses :)

For me, see https://keybase.io/mirimir :)

I sign to verify I sent it and it's not spoofed. Still not 100% verification but it beats nothing. Rr

John

9:12 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On July 13, 2016 1:58:10 AM EDT, Bastiani Fortress wrote:

...

Hey all! Just a simple question out of curiosity; i see pgp signed mails going round in the mailing list, but where do you keep your public keys, and how am i supposed to get them? Does the mailing list have its own keybase, or do you just sign your messages to look cool :)

(Also, here, have a cookie: https://xkcd.com/1181/)

I have mutt configured, or gpg really, to retrieve keys that aren't in my key ring from the keyserver pool sks-keyservers.net. Likewise ive published the public key that I use for jnn@synfin.org to that keyserver pool, so others can retrieve my public key from there... It's not a perfect solution security wise but it works ok. Also it looks cool. John -----BEGIN PGP SIGNATURE----- iQFBBAEBCgArJBxrZXliYXNlLmlvL25peGVuIDxuaXhlbkBrZXliYXNlLmlvPgUC V4YF5wAKCRDjJCC+1Hp4x6uQB/oDOY8VZY4CKSxX4w3ARHAe85qN+5beNmH6/xxN e7JfxBl9Q45Oj3Xn2hqfRefI+cMHQpfm2xrWRK8hj/iYKgbHOqNOku5O3Yrtnizq Tjl77CfIeTU5Et6hC/LkCQqrzMmv35TDKWeaAsCo6T9qOQsLBBOuQDqoYSGTW4sk kFp6XtjN2yC4j06NKcs73415MLItaXJj4kDrWlym+NeMX4RmWhVHXynhuYXmnyV1 nwk/poOtuzR6qZpIBiVJXLTc80KgkYioD7XjQ5ekRUo9RUfgyTGMYXfSWMwiQK5g W+Vvvg2nfp5TiDXn+15FM8AxTXptjM1uGwNRerCm178wqK77 =tDw4 -----END PGP SIGNATURE-----

aestetix

9:54 a.m.

In my case, it's available upon request, or to anyone who gets an email from me. And before you ask, no, I will not sign your public key, at least not on a public keyserver. Here is one of the reasons why: https://github.com/aestetix/pglulz Cheers, aestetix On Wed, Jul 13, 2016 at 07:58:10AM +0200, Bastiani Fortress wrote:

...

Hey all! Just a simple question out of curiosity; i see pgp signed mails going round in the mailing list, but where do you keep your public keys, and how am i supposed to get them? Does the mailing list have its own keybase, or do you just sign your messages to look cool :)

(Also, here, have a cookie: https://xkcd.com/1181/)

Anthony Papillion

5:12 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 7/13/2016 12:58 AM, Bastiani Fortress wrote:

...

Hey all! Just a simple question out of curiosity; i see pgp signed mails going round in the mailing list, but where do you keep your public keys, and how am i supposed to get them? Does the mailing list have its own keybase, or do you just sign your messages to look cool :)

In my case, there are a number of places you can get my public key: - - My personal blog - - My Keybase profile - - Almost any key server - - You can just ask me for it I suspect most people provide their keys in a similar fashion with most simply placing their keys on public key servers. As for /why/ I sign my mails, I started signing mails after someone decided to spoof a few fairly important emails from me. I consistantly sign mails - even unimportant mail, to show a reliable pattern. I do this even for mail to people I know don't use PGP because, if there is ever a question about a piece of mail, I can /prove/ that I sent it if I have to (I can walk them through downloading and installing PGP and validating my signature, and (while much LESS valuable and reliable) I can give people, even those who don't use PGP, a sense that I /did not/ send a piece of mail if it is not signed. It has nothing to do with looking cool. A -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXhnaEAAoJEAKK33RTsEsVLvYP/RzAx7QLXSsWVVuazawfZKum A2KHotW4UvP+5vu4TkJ3rUvRkQuygMW3Kbqhqk5BJVxi48Sxg4Xfpi0Z/pFp8i7r ulSUkodgzDWduB03/YW6BPMT/cD7IpjRZOoA2PWRSf34Nq7lSczl/e70RHIkZADi ZWz1uiLSJVigpMGs3jUEp42/Ns9s7vwhd8LO0vime70fDWlvp44GUP/NbPGYNqTT pBoypnB3eL1jewKAy9weE4EWE+UWzfDY3uX3EYLKEOiQDv7C7cBn8k+dlUR/Uz/j FuUrH4MN7JFTedOUFjoRZtFLSShgeg7uqGNe/jeFlCjZGumBsQ8hrLuujzyVqlLG arjlsHXYJuJEZgfVU21/KLJzjxJj95gGQcRqyass7UwN0cz1NU3tVov/FhIouglK JSn/phFqvHh+tLI4Xe/1aEhLrt8e2gLZRWucV4EAmyLxPmlhhp/5J344BExN0mEE MI8v4VRaM+usv8v++qY3xklHS1jTWZC8cdqeFP4idSK/wShxyiu7doplzQw7TKUq L/rcQPoF9eeHg/ohh/6GKXduMa6jy198SHqgiEjkKCh7XouN4J4xiRiPXSTd/xLX 5JmpFJRuimC8aqb1TVRBWkXgsV3xf72zdBf6cNkknKd7AjlWdYM/ZMNNa3XPLFlT h2rPa84g4e86pRnt9LZz =M5s1 -----END PGP SIGNATURE-----

3002

Age (days ago)

3007

Last active (days ago)

List overview

Download

23 comments

12 participants

participants (12)

aestetix
Anthony Papillion
Bastiani Fortress
Georgi Guninski
John
John Newman
juan
Mirimir
Rayzer
stef
Zenaan Harkness
Александр