Silk Road forums
Discussion => Silk Road discussion => Topic started by: teeth90 on December 02, 2011, 04:17 pm
-
i generally send it in a pm before i place the order, but i am wondering if just placing my public key and my message in the shipping box after an order is placed is a more efficient method. especially with top vendors who are dealing with dozens of orders a day. would putting it in the shipping address box be less secure? or am i the only one who does it separately?
-
I think people do it both ways - me, I usually encrypt my public key right along with my shipping address all in the same message in the shipping box when I place an order. I haven't had complaints, so hopefully that works out ok. Saves site reloading time anyway for both of us. :)
-
It depends for me, if I need to communicate with a vendor before I make a purchase then I send them a message encrypted with their key with my key contained within that message, If I don't need to communicate with them I just include my key in the shipping address box. Never had any complaints like that so it works for me.
-
I have had many put their address encrypted with my key and then underneath it put their key... also, they have pm'd me the same way...
-
If I'm just flat out making an order with no pre-arrangement, I paste my key underneath my encrypted message in the order box. Haven't had any problems so far.
-
I think people do it both ways - me, I usually encrypt my public key right along with my shipping address all in the same message in the shipping box when I place an order. I haven't had complaints, so hopefully that works out ok. Saves site reloading time anyway for both of us. :)
As a vender, I prefer this way the best. Just include your public key, encrypted, just below your address.
I don't like PM's with public keys as they clutter the inbox although sometimes it's nice to have it archived.
-
/\ Thats how I've found most vendors prefer it. Also, I get a lot of replys saying they imported my key, but can't find it amongst others because the key ID isnt the same as my SR username (imagine they have a lot of keys to go through). It was originally suggested to me that my SR username and pgp key ID don't match,but too many sellers told me they lost my key amongst the others,so I changed it.
-
/\ Thats how I've found most vendors prefer it. Also, I get a lot of replys saying they imported my key, but can't find it amongst others because the key ID isnt the same as my SR username (imagine they have a lot of keys to go through). It was originally suggested to me that my SR username and pgp key ID don't match,but too many sellers told me they lost my key amongst the others,so I changed it.
Yea, you should have a key that you use only on SR that has your SR handle. It's nearly impossible to associate the keys otherwise
-
so, it is a common practice on here to make your public key decrypt code = to your SR userid? If that's the case, why do we use the vendor and buyers public keys? Why not just both use the same key (the vendor)?
Sorry, probably a newbie comment. but am i to assume vendors like buyers including our public key in checkout so they can use it to PM encrypted communication later if necessary?
-
...have experienced some vendors specifying really arbitrary details on creation of their key, that is indistinguishable from their name/username...making it difficult to manage/recognise their key from my list...
-
so, it is a common practice on here to make your public key decrypt code = to your SR userid? If that's the case, why do we use the vendor and buyers public keys? Why not just both use the same key (the vendor)?
Sorry, probably a newbie comment. but am i to assume vendors like buyers including our public key in checkout so they can use it to PM encrypted communication later if necessary?
That does not make any sense. I suggest you read up on public key cryptography. You can start with: https://en.wikipedia.org/wiki/Public-key_cryptography
-
..you each need a publc key which you make public = distribute.
your public key is for people to communicate {encrypt messages to..} with you.
and visa versa -they publish their public key for you to use to encrypt a msg to return to them.
if you do not have any public key to send / distribute, there is nothing for you to decrypt, as the other party has nothing to use to send you an encrypted message apart from his own which only he can decrypt himself -cos he knows how...
there are other ways to encrypt messages as you mention, where there is a common key -but then you both are going to have to agree what that key is and would probably best suit a situation where you already know each other....ie you pick up the phone and relay / agree the key -and that aint going to happen on SR...
-
I agree, setting the key email / id to <sruserid>@silkroad is good practice.
It would be nice for buyers/sellers to be-able to publish their public keys by some framework. Possibly place a text box that the user can paste their public key into, then the key is passed through gpg to check its valid. In principle it could also check naming constraints.
Then any user wanting to contact any other could have the option to view/download the recipients key.
-
...i think thats publishing too much information; would suggest SR instead of silkroad....or provide a real addr you want everyone to contact you or make up something...
-
I just use my tormail address as that seems to be fairly safe and accessible only from .onion but I also do, and recommend just including your key within the body of your message before you encrypt it with the recipients public key. Sometimes it's also good to sign it depending on how well you know them/trust them as well
-
Signing a message to someone whom you are sending your pubic key because they did not have it before seems pretty pointless from an authentication standpoint. I suppose it can be used to prove that you are indeed in possession of the matching private key, but I don't see any real value in that, since if you don't have the private key you won't be able to read an encrypted response.
-
well you aren't signing your message, you are signing the encrypted message it's a small step but validates that the originally encrypted message hasn't been tampered with. I don't think it 'protects' any more than other measures but say you ask someone to email you off of SR they may not have the same email address as in their key or they may not have any email address in their key so it validates it's the individual you believe it is from SR even though the message may originate from a name that is not the same as their name on SR.
-
All I mean to say about the circumstance you suggest is that the receiver would have to trust your public key to begin with for the signature to be worth anything. Anyway I was mostly talking about messages within SR.
-
i think the point trying to be made from the numerous posts from page 1 was to add their public key as a courtesy -its was pasted at the end of the text message.
Signing a message to someone whom you are sending your pubic key because they did not have it before seems pretty pointless from an authentication standpoint. I suppose it can be used to prove that you are indeed in possession of the matching private key, but I don't see any real value in that, since if you don't have the private key you won't be able to read an encrypted response.
..it doesn't prove you have the corresponding private key, it could have been cut & pasted from anywhere.
-
..it doesn't prove you have the corresponding private key, it could have been cut & pasted from anywhere.
You're right, I meant whoever signed the message has the corresponding private key. Of course one cannot be sure who that was.
-
ok then