Ok I get it now.
Topic: Sharing eBay trust data? (Read 2136 times)
mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
Why? It's one time thing, isn'it? Couldn't a human make the verification?
so say you're running some site like... maybe coinpal
, and you want to allow people to prove to you that they own an ebay account with X feedback. would you prefer to (a) do this automagically with some gpg verification code, or (b) hire a verifymonkey to do it manually?or, say you're on #bitcoin-otc and someone fairly new is offering a trade, and claims that he has a good ebay or amazon rating. would you rather go to their claimed ebay profile, and manually copy the string and verify gpg key, or run "getebaytrust
hope you get the idea.
EDIT: heh, mndrix has stated the issue much more concisely, and with less snark, to boot.
Why? It's one time thing, isn'it? Couldn't a human make the verification?
The idea is to facilitate repeated ownership verifications. So I leave a signature on my ebay account permanently. CoinPal, OTC and others can all verify that I control the account without my intervention.
mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
Why? It's one time thing, isn'it? Couldn't a human make the verification?
is there any benefit to going uri-style?
Not much, it's just shorter. Doesn't really matter anyway. I think one could just put nothing in front of the base-64, since this data is not supposed to be automatically parsed anyway.
mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
is there any benefit to going uri-style?
Not much, it's just shorter. Doesn't really matter anyway. I think one could just put nothing in front of the base-64, since this data is not supposed to be automatically parsed anyway.
please check out the rfc for the gpg identity protocol, posted in this thread:
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol
comments appreciated.
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol
comments appreciated.
Instead of "gpg_identity=", what about some URI style format such as "GPG:"?
is there any benefit to going uri-style?
please check out the rfc for the gpg identity protocol, posted in this thread:
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol
comments appreciated.
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol
comments appreciated.
Instead of "gpg_identity=", what about some URI style format such as "GPG:"?
please check out the rfc for the gpg identity protocol, posted in this thread:
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol
comments appreciated.
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol
comments appreciated.
True.
clearsigned message -> SHA256 -> eBay my world ?
Of course it doesn't help if the eBay account was hacked.
clearsigned message -> SHA256 -> eBay my world ?
Of course it doesn't help if the eBay account was hacked.
Well, if your account has been hacked, then you need to publish a message saying:
"I used to be xxxx on eBay, but my account was hacked in 20xx."
actually, posting either just the key or just the id is not enough to verify anything, since i can post /anyone's/ key. what you need to do is post a clearsigned message saying "i, user on ebay, hereby declare my ownership of , as of ", signed with said key.
...
comments appreciated.
...
comments appreciated.
True.
clearsigned message -> SHA256 -> eBay my world ?
Of course it doesn't help if the eBay account was hacked.
Well, it's not easy, since you must avoid quotes and anything that look like HTML, but I've managed to put "I am grondilu on eBay" in my contact information section on http://myworld.ebay.com/grondilu.
Carriage returns are skipped, too.
PS. I've filtered GnuPG's output through xxd -p. I think it's enough.
Carriage returns are skipped, too.
PS. I've filtered GnuPG's output through xxd -p. I think it's enough.
yep, that works. unfortunate that they mangle input.
also, i notice that it is possible to create custom categories in the bio - so maybe that can go under 'pgp key' category
Well, it's not easy, since you must avoid quotes and anything that look like HTML, but I've managed to put "I am grondilu on eBay" in my contact information section on http://myworld.ebay.com/grondilu.
Carriage returns are skipped, too.
PS. I've filtered GnuPG's output through xxd -p. I think it's enough.
Carriage returns are skipped, too.
PS. I've filtered GnuPG's output through xxd -p. I think it's enough.
eBay users can post arbitrary text content on their eBay My World pages: http://myworld.ebay.com/$username A PGP key ID or fingerprint could be posted there. I believe those pages are world-readable.
yes, i confirm that the myworld pages are in fact world-readable.
mndrix: your comments on my 'standardization' proposal would be appreciated.
actually, posting either just the key or just the id is not enough to verify anything, since i can post /anyone's/ key. what you need to do is post a clearsigned message saying "i, user on ebay, hereby declare my ownership of , as of ", signed with said key.
that'll prove to any onlooker, without having to do any additional steps like sending you encrypted email or whatnot, that you indeed own the key.
(date is included just in case ebay drops usernames, and someone else comes in to use it - the new guy's 'registered at' date would then be later than your posted date.)
now... question is where can one post a persistent bit of text (even a pastebin url) on your ebay account...
as it happens, there's a great place for that - your 'bio' on your 'my world' page ( http://myworld.ebay.com/ ).
we could even fix up some kind of standard, where a signed message containing your ebay nick, keyid, and a datestamp can be fetched by other places (e.g., the OTC bot ), and once verified with your authed GPG key id, spits out your feedback summary.
the wonders of GPG!
comments appreciated.
that'll prove to any onlooker, without having to do any additional steps like sending you encrypted email or whatnot, that you indeed own the key.
(date is included just in case ebay drops usernames, and someone else comes in to use it - the new guy's 'registered at' date would then be later than your posted date.)
now... question is where can one post a persistent bit of text (even a pastebin url) on your ebay account...
as it happens, there's a great place for that - your 'bio' on your 'my world' page ( http://myworld.ebay.com/
we could even fix up some kind of standard, where a signed message containing your ebay nick, keyid, and a datestamp can be fetched by other places (e.g., the OTC bot
), and once verified with your authed GPG key id, spits out your feedback summary.the wonders of GPG!
comments appreciated.
eBay users can post arbitrary text content on their eBay My World pages: http://myworld.ebay.com/$username A PGP key ID or fingerprint could be posted there. I believe those pages are world-readable.
Not an entire public key, but the GnuPG fingerprint would be fine I guess.
You can also qrencode it and show the image in your profile.
PS. This actually gave me the idea and I've just done exactly this for my avator on this forum
PS#2: you can also stenography your public key inside the photos of the items you're selling, although I suspect eBay is altering the pictures.
PS#3. Nah I changed my mind and removed the qrcode 'caus it's ugly.
You can also qrencode it and show the image in your profile.
PS. This actually gave me the idea and I've just done exactly this for my avator on this forum
PS#2: you can also stenography your public key inside the photos of the items you're selling, although I suspect eBay is altering the pictures.
PS#3. Nah I changed my mind and removed the qrcode 'caus it's ugly.
Can this be done without breaking eBay's TOS? Some of us have 10 year old eBay accounts will hundreds in positive feedback.
Post a GPG public key in an auction body?
Post a GPG public key in an auction body?
Jump to: