dragonvslinux, so sorry, I was deliberately trying to
not publicly criticize you—much less to start some off-topic flamage in a thread about Timelord2067. I don’t want to derail the thread here; but if you are accusing me of bad PGP practice, well, I have a reputation to maintain!
Why the mere fact that you posted about it make this so obvious? johhnyUA was
the first to publicly call for a signed statement from me, with the appropriate remark that “His pgp keys is well known” and a
handy link. Husna QA has had my public key for a long time; he is the author of the
Indonesian forum PGP tutorial, where I am listed in the credits that I unfortunately can’t read. Both of them replied to my signed statement in the PGP key thread before you did, plus someone else who apparently used Keybase (
please, don’t).
I should clarify that I left neutral feedback with the reference of the verified the public key, hence sounds like me, but I see your point, it could of been someone else. More relevantly, I don't have a problem jumping into this now it seems you are willing to discuss it. Given nobody had thought to leave at minimum neutral feedback referencing any verification (to counter the outdated negative) is beyond me, but that's another topic. If you had responded to my PM, I would of explained this to you privately, but oh well.
First off, I have no issue with you publicly criticizing me, as I have enough public criticisms of my mine of the PGP practice you undertook. At best it was inconsiderate (keep reading), at worst it was dodgy (prior to verifying). I otherwise hadn't seen this request for a signature from you, but also this isn't relevant to the verification process, as you probably know. I saw the johhnyUA's reference to your key which appeared irrelevant to me, as it wasn't an archived link from years ago. I could of checked web archive to see if this fingerprint hadn't been modified or added, but it looked like a rabbit hole to
trust rather than
verification.
There's no point in PGP if you can go back an edit a post and put a new public key or fingerprint in for example, as you probably know, hence the PGP staking thread and archiving scheme (the latter being an obvious basic requirement). Likewise there's no point in PGP if it relies on a few individuals who have access to your public key, but fail to provide either chronological or cryptographic evidence to the fact it belong
ed to you (a past signature, an archived key). Instead it relies on trusting these users, which is against the ethos of public key encryption. The negative trust seemed entirely accurate given there wasn't a way to publicly verify (without exceptions, ie any user) that the public key you used to sign was actually yours, from the past. Ironically this is as much about referencing as it is about PGP practice.
Most relevantly, all of this information that you included in this thread (sig request, public key archive and past signature), wasn't referenced in the PGP thread. 1 solid archive of your key or a past signature would of been enough, but unfortunately neither you nor other PGP users had provided this. Hence the verification, feedback and PMs. You see now, anyone who doubts your authentication, can verify it themself, instead of
trusting other users' confirmation of your key. I hope this ramble makes sense to you.
(that
hadn't previously been staked)
Key management on this forum is a train wreck; and I would not expect for you to find it buried in that disorganized thread. However, it is there—ironically, first brought there by Timelord2067. See below.
You're wrong though, I wasn't trying to help you (sorry). I saw a verification error. Namely, you signing a message without previously staked key and was curious so investigated...
Nope. It’s there—at least the important part, the full fingerprint, (The latter is actually unnecessary for me, since I bound my Bitcoin Forum userid into a PGP key userid.) That was the only stuff sensible to “stake” at a time before the public keyserver network crashed and burned.
As explained above, you didn't
reference any public key archive or previous signature, therefore without investigating, the fingerprint was meaningless. To clarify, yes the manner in which you posted "proof" of your PGP signature was very badly done, your defense of the situation is potentially worse. You still haven't amended your PGP post.
Also, I had
previously staked my PGP key fingerprint with a binding signed message in another “stake” thread. Also, my PGP key fingerprint has been in the signature of
every forum post that I have ever made since December 2017, as may be verified in the
Internet Archive and other sources. —And in my signature in archived messages to
bitcoin-dev,
tor-dev, and elsewhere. —And... I have been at pains to spread my PGP identity root-of-trust fingerprint so far and wide that it should be infeasible even for powerful attackers to fake or erase it everywhere all at once.
Yes I know you staked your key in other thread, because I searched for the key and that was the signature (in combination with the other) I used to actually verify your identity, without a shadow of a cryptographic doubt. Obviously
archived keys and fingerprints are more convenient or common, but also harder to find. Again, these are all great references you are providing that could of saved me (or anyone else) a little digging, and I recommend you use these next time in your PGP practices, but ultimately: nevermind.
I am glad that you put so much effort into verifying my key. Cryptographic authentication is important in the small, to protect my account from theft, and important in the large, to ward off Faketoshi-style scams. However, neither johhny, Husna, nor I made any “error” here; and really, there was no need for you to out yourself in this thread.
This is pecisely why I investigated your signature to be honest, with what appeared to be (on the face of it) a "fresh" key (ie, not staked & archived reference), along with two users jumping in to verify it without referencing enough evidence, it all seemed a bit dodgy. The ways in which humans can fool each other is with these "slight of hands" (such as the infamous CSW fake signature), and is precisely why we should always investigate these matters instead trusting others. Remember when people trusted Gavin, because he trusted CSW's signature? This is the biggest weakness in PGP, the ability to deceive another with faked verification.
To clarify why I wasn't doing it to help you, I was doing so because I hadn't starting noticing your posts that were either interesting or useful, and had send you merit. When I saw your PGP signature, without an archived key (or reference to one), I felt the need to investigate myself, given the feeling of minimal responsibility by sending you merit. Hence why at best your PGP practice was not only incomplete, but also inconsiderate to other PGP users (such as myself who had a "vested interest" in being able to verify your identity).
In summary, if you fail to understand that PGP is intended so that
everyone can verify someone (or something's) authentication, with concrete evidence and references, then I can't help you. Likewise, if you don't understand the value of giving the accessibility to the average PGP user to verify authentication themself, then I can't convince you. Nonetheless, apology accepted, not that it was required as I wasn't offended in the first place to be honest - more confused by your off-topic "PM-worthy" passing mention of my actions.
Don't trust, verify.Disclaimer for skimreaders: nullius's key is verified, this is not questioning the validity of the authentication, but of the PGP practice that was undertaken.
