this post was submitted on 26 Jul 2023
33 points (100.0% liked)

Ask Science

8694 readers
16 users here now

Ask a science question, get a science answer.


Community Rules


Rule 1: Be respectful and inclusive.Treat others with respect, and maintain a positive atmosphere.


Rule 2: No harassment, hate speech, bigotry, or trolling.Avoid any form of harassment, hate speech, bigotry, or offensive behavior.


Rule 3: Engage in constructive discussions.Contribute to meaningful and constructive discussions that enhance scientific understanding.


Rule 4: No AI-generated answers.Strictly prohibit the use of AI-generated answers. Providing answers generated by AI systems is not allowed and may result in a ban.


Rule 5: Follow guidelines and moderators' instructions.Adhere to community guidelines and comply with instructions given by moderators.


Rule 6: Use appropriate language and tone.Communicate using suitable language and maintain a professional and respectful tone.


Rule 7: Report violations.Report any violations of the community rules to the moderators for appropriate action.


Rule 8: Foster a continuous learning environment.Encourage a continuous learning environment where members can share knowledge and engage in scientific discussions.


Rule 9: Source required for answers.Provide credible sources for answers. Failure to include a source may result in the removal of the answer to ensure information reliability.


By adhering to these rules, we create a welcoming and informative environment where science-related questions receive accurate and credible answers. Thank you for your cooperation in making the Ask Science community a valuable resource for scientific knowledge.

We retain the discretion to modify the rules as we deem necessary.


founded 1 year ago
MODERATORS
 

I saw that people on the dark web would sign their posts with a PGP key to prove that their account has not been compromised. I think I understand the concept of how private and public keys work but I must be missing something because I don't see how it proves anything.

I created a key and ran gpg --export --armor fizz@... and I ran that twice and both blocks were identical. If I posted my public key block couldn't someone copy and paste that under their message and claim to be me?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 1 year ago (2 children)

I am probably at a similar experience level to OP and have wondered the following: is there a commonly used, or agreed upon repository for identity verification with PGP or similar? It would be a useful thing to use, the problem is that if you're posting something to a public space, not everyone may have access to your public key for verification. Including the key in the message doesn't seem like it would help much, since someone else could just generate two new keys and still claim to be you without any affiliation. Am I wrong about this? Thanks.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

If this is some kind of messaging board, you'd probably put your public key in your profile (I assume that since OP is talking about the dark web that the posters there would rather not share their actual identity).

Let's talk about Alice, Bob and Eve. Alice is an active poster on a dark web forum. She puts her public key on her profile and uses the corresponding private key to sign her messages. If Eve wants to pretend to be Alice, Eve can simply put her own public key on her profile and sign messages with her own private key. But Bob is smart. Rather than just looking at the profile of the poster and copying their key every time, Bob saved it in his key store and assigned it to Alice (possibly even marked it as trusted). When Bob sees a post by Eve, he'll try to validate it. This validation might succeed (if Bob has access to Eve's public key), but it will be clear that the message wasn't signed by Alice's key.

Of course, this all assumes that Bob has quite some knowledge of how this works and is vigilant enough to perform all these validations correctly.

As for the regular internet, there are some services where you can share your public key: keys.openpgp.org is one of these. Of course, as /u/[email protected] says, there's still the matter of trust. You need to make sure that the public key you're using is actually from the right person.

[–] [email protected] 1 points 1 year ago

That's exactly my point. The gold standard would be a key signing party, but given that humans don't tend to talk to each other in meat space much these days, it's more of a rare occurrence than it used to be. I don't really know what the ideal solution would be that would be a good mix of trust, privacy, and ease of use though.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

Key signing parties used to be the thing to do at conferences - imagine a line of people, sheets of paper listing all their key fingerprints, and people showing ID to each other.