How do you feel about asking for over $10.000 (I'm bad at counting) for generated keys while GPG is desperately looking for donors? How do you feel about the ethics of your project in general? It looks a lot like domain parking to me.
By all means donate to GnuPG, but do so directly instead of encouraging bad practice (such as letting someone else generate the key for you).
If you are just playing around and generate a vanity/compromised key then verifying the key id is not useful, hence you don't need it to be easy to remember, which negates the reason for generating a vanity key in the first place.
I agree, this service should never be used for any serious real-life usage. But this is a _vanity_ key service, and there are legitimate uses for such keys where no harm can be done.
I'm mainly interested in raising awareness to GnuPG and get more people using it - I also organize CryptoParties [1] in my area, exactly for this purpose.
How do you raise awareness and educate people by selling them conceptionally broken keys? They will get used to "someone else is creating the key for me", as well as to "GPG fingerprints should look like funny words, not 17AB42DE!".
For testing and explaining GPG to people, nobody needs vanity keys. You don't raise awareness for GPG by having "DEADBEEF" on your business card.
Is there a technical way to implement a service like that in a non-compromising way? I.e. user sends you his public key, you brute-force some nonce value, until the key's ID is "nice"?
Non-native speaker here, I didn't even know what "vanity" means, just ignored it as noise-word :) Well, after looking it up, I still am not sure that I understand what it means :).
vanity base word is vane; or to be so focused on how pretty or appealling you are to others. often used when talking about asthetically pleasing names when talking about tech stuff (vanity hostnames for example.. dns names which are excessively showy, this used to be common on IRC to look "cool").
> Is there a technical way to implement a service like that in a non-compromising way? I.e. user sends you his public key, you brute-force some nonce value, until the key's ID is "nice"?
Sorry but no. This makes your private key compromised by default...
The most important rule of public key encryption is... Never (really!) let anybody else handle your private key...
And why should I trust some random website for not storing an extra copy? The keys are definitely not "... as secure as if you have generated them by yourself. ". Because, if I generate them, I know that my box is the only one that had ever touched it...
Once GnuPG supports ECDSA (hopefully, in the near future, there's a branch with some of the code already implemented) I'll be happy to switch the service to this secure method!
I thought that if the user changes the passphrase[1] it could be done... But since the keys (private/public) remain the same, doesn't make any sense in this scenario. As I understand this (didn't try it) you could have 2 computers, same private/public keys different passphrase on each computer.
I feel like it might be time for us to stop bashing hipsters and instead reach out to them so that they don't actually use services like this one. Writing a blog post (or a shell script) that explains how to generate fancy keys would certainly be more useful.
Interesting way to earn BTC. Instead of "just" investing [GC]PU power, you invest CPU power and then sell the result.
In this sense, it's probably more efficient (both power and money wise) than mining for BTC directly, but it still feels like a waste of energy to me. Waste, because I don't think anyone with security in mind would buy a private key off some random website and anyone with no security in mind would never get the idea to buy a GPG key.
Also, I'm still wondering why "FF8243E1" costs 5$. Because it's only 7 out of 8 possible different characters?
$5 is the lowest tier of keys with no actual significance. I believe that's a reasonable price when you consider the overhead of running this operation.
"5$ is the price for something worthless." -- Did I read this correctly?
I can see how you would sell keys with fingerprints like "1234BEEF" for 100 bucks, but those 5$ keys are just ... I don't get it. But that's okay, it's not the first time I don't understand why people spend money on something ;-)
I'm really dumbfounded and thinking maybe I should just start a slick looking minimal website with a random number generator and a payment form. This way I can sell interesting sequences of numbers. I could avoid the whole mess of generating keys, since this is about as useful as painting a house with a five hundred pound bomb.
Thank you for pointing to the AUR, another great example of where you should never trust the maintainer blindly and _ALWAYS_ inspect the PKGBUILD yourself before installing.
60%? Given that you're using BTC the costs involved here are minimal, considering that there's no practical use for these keys where's the value justifying your 40%?
I'd invite folks reading this to donate directly to https://www.gnupg.org/donate/ and ensure 100% of your charity reaches the folks & help them attain their funding goal + keep one of the most essential tools under active development.
Interesting concept, but no. People should not be having a 3rd party generating their keys.
If people want a vanity short key ID, then educating them on how OpenPGP packets work, and how the fingerprint is generated from the timestamp is the right way to go. Teach a man to fish.
Here is some Java code that creates a partial collision on the fingerprint for the desired short key ID:
"I have not heard about it but given that the Wau Holland Stiftung is collecting GnuPG donations also via Bitcoin, it is likely that this can't be tracked.
However, if that processing power is used to find many dups for long keyids we will sooner or later neet to invest work to mitigate the effect of this (e.g. adding a fingerprint as signed attribute to each signature)."
53 comments
[ 3.1 ms ] story [ 108 ms ] threadI was wondering how exactly are the keys priced.
I'll happily donate 60% of the profits from the service to GnuPG. Let's use this opportunity to fund GnuPG.
You buying? :)
Using an untrusted 3rd party service to generate a public/private key pair is like asking a thief to sell you a new door lock.
I'm mainly interested in raising awareness to GnuPG and get more people using it - I also organize CryptoParties [1] in my area, exactly for this purpose.
[1] - https://cryptoparty.in/
For testing and explaining GPG to people, nobody needs vanity keys. You don't raise awareness for GPG by having "DEADBEEF" on your business card.
Non-native speaker here, I didn't even know what "vanity" means, just ignored it as noise-word :) Well, after looking it up, I still am not sure that I understand what it means :).
No. That is not possible.
The most important rule of public key encryption is... Never (really!) let anybody else handle your private key...
And why should I trust some random website for not storing an extra copy? The keys are definitely not "... as secure as if you have generated them by yourself. ". Because, if I generate them, I know that my box is the only one that had ever touched it...
[1] http://security.stackexchange.com/questions/37510/when-chang...
In this sense, it's probably more efficient (both power and money wise) than mining for BTC directly, but it still feels like a waste of energy to me. Waste, because I don't think anyone with security in mind would buy a private key off some random website and anyone with no security in mind would never get the idea to buy a GPG key.
Also, I'm still wondering why "FF8243E1" costs 5$. Because it's only 7 out of 8 possible different characters?
I can see how you would sell keys with fingerprints like "1234BEEF" for 100 bucks, but those 5$ keys are just ... I don't get it. But that's okay, it's not the first time I don't understand why people spend money on something ;-)
[1] - https://keybase.io
Aren't you tired of boring, bland, random passwords?
For just $5 I'll generate you a beautiful, memorable vanity password that you can use for everything and show off to your friends!
See my profile for contact info. Limited time offer!
Whats next, vanity passwords?
EDIT: reading the comments from the author yuvadam below, its obvious we are being trolled
EDIT2: now i'm getting scared. i wouldn't want software from this guy near my machines https://aur.archlinux.org/packages/?SeB=m&K=yuvadm
I'd invite folks reading this to donate directly to https://www.gnupg.org/donate/ and ensure 100% of your charity reaches the folks & help them attain their funding goal + keep one of the most essential tools under active development.
I severely doubt the guy who develops GnuPG (Werner Koch) would approve of this.
[edit] This is the worse thing I've ever seen on Hacker News.
If people want a vanity short key ID, then educating them on how OpenPGP packets work, and how the fingerprint is generated from the timestamp is the right way to go. Teach a man to fish.
Here is some Java code that creates a partial collision on the fingerprint for the desired short key ID:
http://www.halfdog.net/Projects/PgpKeyTools/KeyGenDSA.java
http://lists.gnupg.org/pipermail/gnupg-users/2015-January/05...
"I have not heard about it but given that the Wau Holland Stiftung is collecting GnuPG donations also via Bitcoin, it is likely that this can't be tracked.
However, if that processing power is used to find many dups for long keyids we will sooner or later neet to invest work to mitigate the effect of this (e.g. adding a fingerprint as signed attribute to each signature)."