Author

Topic: Sharing eBay trust data? (Read 2157 times)

legendary
Activity: 1288
Merit: 1080
March 16, 2011, 06:02:21 PM
#18
Ok I get it now.
hero member
Activity: 482
Merit: 501
March 16, 2011, 05:55:54 PM
#17
mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.

Why?  It's one time thing, isn'it?  Couldn't a human make the verification?


so say you're running some site like... maybe coinpal Smiley, and you want to allow people to prove to you that they own an ebay account with X feedback. would you prefer to (a) do this automagically with some gpg verification code, or (b) hire a verifymonkey to do it manually?

or, say you're on #bitcoin-otc and someone fairly new is offering a trade, and claims that he has a good ebay or amazon rating. would you rather go to their claimed ebay profile, and manually copy the string and verify gpg key, or run "getebaytrust " (or getamazontrust ) and have automatic verification done for you?

hope you get the idea. Smiley

EDIT: heh, mndrix has stated the issue much more concisely, and with less snark, to boot. Smiley
vip
Activity: 447
Merit: 258
March 16, 2011, 05:54:47 PM
#16
Why?  It's one time thing, isn'it?  Couldn't a human make the verification?

The idea is to facilitate repeated ownership verifications.  So I leave a signature on my ebay account permanently.  CoinPal, OTC and others can all verify that I control the account without my intervention.
legendary
Activity: 1288
Merit: 1080
March 16, 2011, 05:46:54 PM
#15
mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.

Why?  It's one time thing, isn'it?  Couldn't a human make the verification?
hero member
Activity: 482
Merit: 501
March 16, 2011, 05:01:40 PM
#14
is there any benefit to going uri-style?

Not much, it's just shorter.  Doesn't really matter anyway.  I think one could just put nothing in front of the base-64, since this data is not supposed to be automatically parsed anyway.


mmm you seem to be missing the whole point - it /is/ supposed to be automatically parsed.
legendary
Activity: 1288
Merit: 1080
March 16, 2011, 04:39:42 PM
#13
is there any benefit to going uri-style?

Not much, it's just shorter.  Doesn't really matter anyway.  I think one could just put nothing in front of the base-64, since this data is not supposed to be automatically parsed anyway.
hero member
Activity: 482
Merit: 501
March 16, 2011, 04:30:56 PM
#12
please check out the rfc for the gpg identity protocol, posted in this thread:
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol

comments appreciated. Smiley

Instead of "gpg_identity=", what about some URI style format such as "GPG:"?


is there any benefit to going uri-style?
legendary
Activity: 1288
Merit: 1080
March 16, 2011, 01:49:28 AM
#11
please check out the rfc for the gpg identity protocol, posted in this thread:
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol

comments appreciated. Smiley

Instead of "gpg_identity=", what about some URI style format such as "GPG:"?
hero member
Activity: 482
Merit: 501
March 15, 2011, 10:55:12 PM
#10
please check out the rfc for the gpg identity protocol, posted in this thread:
http://wiki.bitcoin-otc.com/wiki/GPG_Identity_Protocol

comments appreciated. Smiley
legendary
Activity: 1288
Merit: 1080
March 15, 2011, 09:35:38 AM
#9
True.

clearsigned message -> SHA256 -> eBay my world ?

Of course it doesn't help if the eBay account was hacked.

Well, if your account has been hacked, then you need to publish a message saying:

"I used to be xxxx on eBay, but my account was hacked in 20xx."
member
Activity: 75
Merit: 10
March 15, 2011, 03:27:23 AM
#8
actually, posting either just the key or just the id is not enough to verify anything, since i can post /anyone's/ key. what you need to do is post a clearsigned message saying "i, user on ebay, hereby declare my ownership of , as of ", signed with said key.
...
comments appreciated.


True.

clearsigned message -> SHA256 -> eBay my world ?

Of course it doesn't help if the eBay account was hacked.
hero member
Activity: 482
Merit: 501
March 14, 2011, 07:05:58 PM
#7
Well, it's not easy, since you must avoid quotes and anything that look like HTML, but I've managed to put "I am grondilu on eBay" in my contact information section on http://myworld.ebay.com/grondilu.

Carriage returns are skipped, too.

PS.  I've filtered GnuPG's output through xxd -p.  I think it's enough.


yep, that works. unfortunate that they mangle input.

also, i notice that it is possible to create custom categories in the bio - so maybe that can go under 'pgp key' category Smiley
legendary
Activity: 1288
Merit: 1080
March 14, 2011, 06:11:32 PM
#6
Well, it's not easy, since you must avoid quotes and anything that look like HTML, but I've managed to put "I am grondilu on eBay" in my contact information section on http://myworld.ebay.com/grondilu.

Carriage returns are skipped, too.

PS.  I've filtered GnuPG's output through xxd -p.  I think it's enough.
hero member
Activity: 482
Merit: 501
March 14, 2011, 05:40:59 PM
#5
eBay users can post arbitrary text content on their eBay My World pages: http://myworld.ebay.com/$username  A PGP key ID or fingerprint could be posted there.  I believe those pages are world-readable.

yes, i confirm that the myworld pages are in fact world-readable.

mndrix: your comments on my 'standardization' proposal would be appreciated.
hero member
Activity: 482
Merit: 501
March 14, 2011, 05:39:30 PM
#4
actually, posting either just the key or just the id is not enough to verify anything, since i can post /anyone's/ key. what you need to do is post a clearsigned message saying "i, user on ebay, hereby declare my ownership of , as of ", signed with said key.

that'll prove to any onlooker, without having to do any additional steps like sending you encrypted email or whatnot, that you indeed own the key.

(date is included just in case ebay drops usernames, and someone else comes in to use it - the new guy's 'registered at' date would then be later than your posted date.)

now... question is where can one post a persistent bit of text (even a pastebin url) on your ebay account...

as it happens, there's a great place for that - your 'bio' on your 'my world' page ( http://myworld.ebay.com/ ).

we could even fix up some kind of standard, where a signed message containing your ebay nick, keyid, and a datestamp can be fetched by other places (e.g., the OTC bot Smiley ), and once verified with your authed GPG key id, spits out your feedback summary.

the wonders of GPG! Smiley

comments appreciated.
vip
Activity: 447
Merit: 258
March 14, 2011, 05:29:49 PM
#3
eBay users can post arbitrary text content on their eBay My World pages: http://myworld.ebay.com/$username  A PGP key ID or fingerprint could be posted there.  I believe those pages are world-readable.
legendary
Activity: 1288
Merit: 1080
March 14, 2011, 04:56:24 PM
#2
Not an entire public key, but the GnuPG fingerprint would be fine I guess.

You can also qrencode it and show the image in your profile.


PS.  This actually gave me the idea and I've just done exactly this for my avator on this forum Wink

PS#2:  you can also stenography your public key inside the photos of the items you're selling, although I suspect eBay is altering the pictures.

PS#3.  Nah I changed my mind and removed the qrcode 'caus it's ugly.
member
Activity: 75
Merit: 10
March 14, 2011, 04:38:47 PM
#1
Can this be done without breaking eBay's TOS? Some of us have 10 year old eBay accounts will hundreds in positive feedback.

Post a GPG public key in an auction body?

Jump to: