Tor core dev Isis Agora Lovecruft: "The signatures on the Agora Market's purported OpenPGP key are... interesting."

https://twitter.com/isislovecruft/status/637004470619144192 https://twitter.com/isislovecruft/status/637012958518857728

Not sure what to make of her comments, but I trust that something is "interesting" because she's a core dev on the Tor Project. One of the keys signing Agora's old key has the UID of the mushroom emoji. One of the keys (the revoking key?) has no UID. That is all I could gather.


Comments


[44 Points] Finga_lickin:

Is there a rough english translation for those of us that don't speak computer?


[37 Points] diOpAnonMu:

The way PGP usually works (don't do this for DNM use) is that when you have a key, you hang out with other nerds and sign their keys. There are key signing parties where you do some level of verification and then you sign their key. Frequently, when you sign their key, you upload the signature to a key server.

Now when I want to email someone I haven't corresponded with, I can see if someone I trust has signed their key. If someone I know has signed their key, there's a good chance I can trust it. If there are no signatures, it could have been uploaded by anyone. Search the keyservers for potus@whitehouse.gov, for example.

Someone uploaded the Agora key to a keyserver and then some people signed it with some weird keys. It's common for trolls to sign keys because anyone who looks up those keys later will see who signed it and you can use that to write a message or attempt to crash bad clients.


[9 Points] notrecane:

The comment added when Agora revoked their old PGP key (or maybe when they generated the revocation certificiate?) says the following:

"agora play with coins they bad, so bad they bad, so bad"

Revocation is initiated by the owner when a key is no longer in use or thought to be compromised. (in this case no longer in use) I understand Agora revoked their old pgp key before the announcement.

ELI5: Agora admits they are naughty bad coin chompers


[7 Points] J0NJ0NES:

Correct me if I'm wrong, but the key revocation was performed by someone who added that non-flattering comment. If I'm reading between the lines, it says that they lost control of their private key to a hacker asking for a ransom or a disgruntled insider.


[6 Points] coffeencreme:

It's abit above my head to be honest, what does it mean?


[5 Points] None:

[removed]


[5 Points] young_k:

this shouldnt be posted on somewhere that limits to 140 chars ...ugh :/


[4 Points] Jay-__:

/u/sapiophile - please enlighten us.


[3 Points] JburnaDNM:

Wheres the computer nerds at who can explain this and what it means???? Im lost as to what she is trying to point out.


[3 Points] None:

I'm lost, how is it interesting? I know I'm probably wrong, but it reminds me of the part in Neighbors were the frat get the letter saying they are no longer on suspension or whatever from Seth Rogan and his friend, and his friend put Hebrew instead of Latin like a little wink.


[2 Points] william_junior:

They're talking about two keys. First, the former Agora public key that has been revoked. The revocation certificate though had to be signed by another key that's allowed to do this revocation (else anybody could revoke anybody's key, right?). So that's also a key, public and private, supposed to be in possession of Agora. And that key looks "odd".

And what is odd about it? If you decode the public part the UID comes out like this
user ID packet: "\x06\x06\x06\x06\x06\x06"
and that's odd. Because what you would normally see there is
user ID packet: "Your Name" your@email

Does it mean anything? Not sure. Probably not. And if anything then presumably that the Agora people are kind of creative. But again, not sure.


[1 Points] drimilr:

ELI5 plz?


[1 Points] HofmannsHeir:

Interestingly confusing*


[1 Points] None:

illuminati confirmed.


[1 Points] sillysally11:

"Agora play with coins they bad. so bad they bad so bad" whaa?


[1 Points] druggieslut:

Stupidest post ever....