In reference to this post.
Couldn't a vendor easily check their vendor home page via their account or a throwaway "buyer" account and see that their public key has been compromised?
Or is the fear that it is changed temporarily the 100 or so orders/messages etc. that slip by unbeknownst to the vendor allow a bunk public key to be imported into buyers GPG keychain expose those people. I'm just trying to wrap my head around this and I'm sure I'm making it more complicated than it needs to be.
Haven't been on the market places in a while and trying to be up to date safety wise.
Also pretty relevant to me as I would often clean house and delete all my saved PGP public keys. Maybe after getting confirmation I should just vault my keychain with my most trusted vendors as I am generally dealing with as few as possible, generally only 2-3 a year.
Anybody educated on this topic, some feedback and clarification would be greatly appreciated. =P
yes i guess that is possible but maybe the market has code to prevent such a thing. or perhaps they only execute their malicious code when a buyer sends their address after a puchase?
sapiophile suggests some great things in that post but the solutions are unrealistic. if you want an easy way to make sure the market isn't forging pgp keys, just verify the vendor's pgp key in multiple places. use 3 or 4 different markets and grams. most vendors are on multiple markets anyways so that should work. edit: it's not foolproof but it should be sufficient.
and i'm sure you know ths but don't use the market's built in encryption. write your message in a local text editor, then copy and paste your ciphertext into the market website.