you are viewing a single comment's thread.

view the rest of the comments →

[–]Drewski 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (9 children)

Would like to see these posted with a GPG signature.

[–]magnora7[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (8 children)

I don't think that increases authenticity or security at all imo, as they're extremely easy to fake.

[–]Drewski 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (7 children)

Of course you have to trust that you're getting the public key from a legitimate source initially, but after you've added a public key to your keychain AFAIK there is no known way to fake a signed message unless I'm missing something.

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (6 children)

I guess I don't understand how's it any different from me simply posting or not posting the thing in the first place? I just don't understand the benefit I guess. The fact the magora7 account is posting the canary on saidit, is the signature. What security does a GPG signature add beyond this already-existing proof of identity?

[–]Drewski 5 insightful - 1 fun5 insightful - 0 fun6 insightful - 1 fun -  (4 children)

Right, so we're initially trusting that you are who you say you are when you share your public key. After that though, we can verify messages signed by you as being authentic (as long as you protect your private key sufficiently). If anything were to happen to Saidit, or if your account were compromised, you could verify your identity with a signed message. It would also prevent the possibility of modifying a past post or canary because of the timestamp. Also you could use it to communicate securely, in case anyone needed to send you an encrypted message. It's not foolproof, but it does provide some additional security backed by strong cryptography.

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (3 children)

Interesting, but I feel as though if I was in a situation where my saidit account was compromised, then my key would also probably be compromised. The idea about it being useful to verify who I am if I have to change accounts is interesting. What software is required to make it work?

[–]Drewski 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (1 child)

If you're on linux, most distros have it built in with GnuPG. For Windows, there's Gpg4win. It can be used via the command line or the GPA front end.

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

Thanks, maybe I'll give it a go