Silk Road forums

Discussion => Silk Road discussion => Topic started by: teeth90 on December 02, 2011, 04:17 pm

Title: how do you get your pub key to your vendor?
Post by: teeth90 on December 02, 2011, 04:17 pm
i generally send it in a pm before i place the order, but i am wondering if just placing my public key and my message in the shipping box after an order is placed is a more efficient method. especially with top vendors who are dealing with dozens of orders a day. would putting it in the shipping address box be less secure? or am i the only one who does it separately?
Title: Re: how do you get your pub key to your vendor?
Post by: lrp72 on December 02, 2011, 05:03 pm
I think people do it both ways - me, I usually encrypt my public key right along with my shipping address all in the same message in the shipping box when I place an order.  I haven't had complaints, so hopefully that works out ok.  Saves site reloading time anyway for both of us. :)
Title: Re: how do you get your pub key to your vendor?
Post by: MagicMan on December 02, 2011, 05:40 pm
It depends for me, if I need to communicate with a vendor before I make a purchase then I send them a message encrypted with their key with my key contained within that message, If I don't need to communicate with them I just include my key in the shipping address box. Never had any complaints like that so it works for me.
Title: Re: how do you get your pub key to your vendor?
Post by: chronicpain on December 02, 2011, 05:46 pm
I have had many put their address encrypted with my key and then underneath it put their key... also, they have pm'd me the same way...
Title: Re: how do you get your pub key to your vendor?
Post by: SlimScott on December 03, 2011, 03:19 pm
If I'm just flat out making an order with no pre-arrangement, I paste my key underneath my encrypted message in the order box. Haven't had any problems so far.
Title: Re: how do you get your pub key to your vendor?
Post by: Rook on December 03, 2011, 08:55 pm
I think people do it both ways - me, I usually encrypt my public key right along with my shipping address all in the same message in the shipping box when I place an order.  I haven't had complaints, so hopefully that works out ok.  Saves site reloading time anyway for both of us. :)

As a vender, I prefer this way the best.  Just include your public key, encrypted, just below your address.

I don't like PM's with public keys as they clutter the inbox although sometimes it's nice to have it archived. 
Title: Re: how do you get your pub key to your vendor?
Post by: Aoth14 on December 03, 2011, 09:21 pm
/\ Thats how I've found most vendors prefer it. Also, I get a lot of replys saying they imported my key, but can't find it amongst  others because the key ID isnt the same as my SR username (imagine they have a lot of keys to go through). It was originally suggested to me that my SR username and pgp key ID don't match,but too many sellers told me they lost my key amongst the others,so I changed it.
Title: Re: how do you get your pub key to your vendor?
Post by: Rook on December 04, 2011, 12:51 am
/\ Thats how I've found most vendors prefer it. Also, I get a lot of replys saying they imported my key, but can't find it amongst  others because the key ID isnt the same as my SR username (imagine they have a lot of keys to go through). It was originally suggested to me that my SR username and pgp key ID don't match,but too many sellers told me they lost my key amongst the others,so I changed it.

Yea, you should have a key that you use only on SR that has your SR handle. It's nearly impossible to associate the keys otherwise
Title: Re: how do you get your pub key to your vendor?
Post by: breeze09 on December 04, 2011, 01:08 am
so, it is a common practice on here to make your public key decrypt code = to your SR userid?  If that's the case, why do we use the vendor and buyers public keys?  Why not just both use the same key (the vendor)?

Sorry, probably a newbie comment.  but am i to assume vendors like buyers including our public key in checkout so they can use it to PM encrypted communication later if necessary?
Title: Re: how do you get your pub key to your vendor?
Post by: TravellingWithoutMoving on December 04, 2011, 04:44 am
...have experienced some vendors specifying really arbitrary details on creation of their key, that is indistinguishable from their name/username...making it difficult to manage/recognise their key from my list...
 
Title: Re: how do you get your pub key to your vendor?
Post by: DrBenway on December 04, 2011, 07:57 am
so, it is a common practice on here to make your public key decrypt code = to your SR userid?  If that's the case, why do we use the vendor and buyers public keys?  Why not just both use the same key (the vendor)?

Sorry, probably a newbie comment.  but am i to assume vendors like buyers including our public key in checkout so they can use it to PM encrypted communication later if necessary?

That does not make any sense. I suggest you read up on public key cryptography. You can start with: https://en.wikipedia.org/wiki/Public-key_cryptography
Title: Re: how do you get your pub key to your vendor?
Post by: TravellingWithoutMoving on December 04, 2011, 10:24 am
..you each need a publc key which you make public = distribute.
your public key is for people to communicate {encrypt messages to..}  with you.
and visa versa -they publish their public key for you to use to encrypt a msg to return to them.

if you do not have any public key to send / distribute, there is nothing for you to decrypt, as the other party has nothing to use to send you an encrypted message apart from his own which only he can decrypt himself -cos he knows how...

there are other ways to encrypt messages as you mention, where there is a common key -but then you both are going to have to agree what that key is and would probably best suit a situation where you already know each other....ie you pick up the phone and relay / agree the key -and that aint going to happen on SR...
Title: Re: how do you get your pub key to your vendor?
Post by: fruity on December 05, 2011, 12:22 am
I agree, setting the key email / id to <sruserid>@silkroad is good practice.

It would be nice for buyers/sellers to be-able to publish their public keys by some framework. Possibly place a text box that the user can paste their public key into, then the key is passed through gpg to check its valid. In principle it could also check naming constraints.

Then any user wanting to contact any other could have the option to view/download the recipients key.
Title: Re: how do you get your pub key to your vendor?
Post by: TravellingWithoutMoving on December 05, 2011, 02:11 am
...i think thats publishing too much information; would suggest SR instead of silkroad....or provide a real addr you want everyone to contact you or make up something...
Title: Re: how do you get your pub key to your vendor?
Post by: Looker on December 06, 2011, 03:02 am
I just use my tormail address as that seems to be fairly safe and accessible only from .onion but I also do, and recommend just including your key within the body of your message before you encrypt it with the recipients public key. Sometimes it's also good to sign it depending on how well you know them/trust them as well
Title: Re: how do you get your pub key to your vendor?
Post by: DrBenway on December 06, 2011, 03:16 am
Signing a message to someone whom you are sending your pubic key because they did not have it before seems pretty pointless from an authentication standpoint. I suppose it can be used to prove that you are indeed in possession of the matching private key, but I don't see any real value in that, since if you don't have the private key you won't be able to read an encrypted response.
Title: Re: how do you get your pub key to your vendor?
Post by: Looker on December 06, 2011, 05:28 am
well you aren't signing your message, you are signing the encrypted message it's a small step but validates that the originally encrypted message hasn't been tampered with. I don't think it 'protects' any more than other measures but say you ask someone to email you off of SR they may not have the same email address as in their key or they may not have any email address in their key so it validates it's the individual you believe it is from SR even though the message may originate from a name that is not the same as their name on SR.
Title: Re: how do you get your pub key to your vendor?
Post by: DrBenway on December 06, 2011, 06:13 am
All I mean to say about the circumstance you suggest is that the receiver would have to trust your public key to begin with for the signature to be worth anything. Anyway I was mostly talking about messages within SR.
Title: Re: how do you get your pub key to your vendor?
Post by: TravellingWithoutMoving on December 06, 2011, 06:13 am
i think the point trying to be made from the numerous posts from page 1 was to add their public key as a  courtesy -its was pasted at the end of the text message.

Signing a message to someone whom you are sending your pubic key because they did not have it before seems pretty pointless from an authentication standpoint. I suppose it can be used to prove that you are indeed in possession of the matching private key, but I don't see any real value in that, since if you don't have the private key you won't be able to read an encrypted response.

..it doesn't prove you have the corresponding private key, it could have been cut & pasted from anywhere.
Title: Re: how do you get your pub key to your vendor?
Post by: DrBenway on December 06, 2011, 06:18 am
..it doesn't prove you have the corresponding private key, it could have been cut & pasted from anywhere.

You're right, I meant whoever signed the message has the corresponding private key. Of course one cannot be sure who that was.
Title: Re: how do you get your pub key to your vendor?
Post by: TravellingWithoutMoving on December 06, 2011, 06:33 am
ok then