554000+ entries in 0.361s
davout: meh, it's not like
that person could steal stuff or anything
undata: davout: because no one ever once was opped in a chan
that shouldn't have been
davout: the
thing is
that, whatever
turd comes along is necessarily given by someone who has voice in assets, so by very definition, not a
turd
undata: surely one can do better
than stamping any
turd
that comes along
davout: because
the notary doesn't enforce or verify anything, just certifies
that something existed at some point of
time
undata: and how does one move
the process
to another protocol later
undata: the fuck is
the point of even having gpg involved
then?
undata: so you're going
to rely on
the IRC protocol and not gpg?
davout: well, let's light some jasmine candles and
talk about our feelings
then
davout: for all i care
the bot could hang out in -assets, and notarize whatever is asked from whoever has voice, sounds like
the simplest straight-to-the-point approach
to me
davout: undata:
the notary doesn't enforce
the agreement so why bother verifying
the signature at all
assbot: Logged on 30-08-2014 00:59:50; mircea_popescu:
this way you don't have
to keep updated keyrings locally or verify signatures in any wya
undata: davout: isn't
the whole point of a notary verifying
the identities of
the parties involved
then verifying
that an agreement has
taken place?
davout: but if you'd be ok with having some API call simply return
the array of fingerprints in realtime,
that'd be
the easiest deedbot-wise :D
undata: why is it not necessary
to verify signatures before notarizing?
davout: kakobrekla:
tbh if verifying
the signature on notarized data is not considered necessary i don't
think it's a big issue if
the dump is unsigned
kakobrekla: the problem with signing
that dump is automation and keeping
the key on boxen
davout: it still boils down
to a fpr <-> keyid mapping
tho, not
that
this is evil _for
this particular purpose_ but still
davout: kakobrekla: if a 24h delay between asswot registration and ability
to notarize is acceptable
that would work
undata: the dump seems like
the most straightforward
thing
to me
davout: kakobrekla: is
there a way
to easily get an array of asswotted fingerprints?
davout: the version 4 signature subpacket spec isn't
that clear
to me, maybe asciilifeform has some insight
davout: looked at version 3 signature packets, mebbe version 4 includes
them
Apocalyptic: I confess
that surprises me, had imagined
the full fp would be somewhere
Apocalyptic: well according
to what davout said
there is just
the 8 bytes
punkman: I
think
there is, but not 100% sure
Apocalyptic: punkman,
thanks for
the link, but I mean
that
there should be something in
the clearsigned message structures
that clearly identifies
the key
that produced it
davout: -
the last option is kakobrekla getting some moar work
davout: - allow unsigned blobs
to be notarized
davout: - not give a fuck about who signed a
to-be-notarized blob
Apocalyptic: I wonder what
the behaviour is if you have
two pubkeys in your keyring with
the same eight bytes key id and you're
trying
to verify a message
davout: so basically
the options are
davout: Apocalyptic: looking at
the rfc
to see
the clearsigned message structure
Apocalyptic: grep "get_short_fingerprint" in verify.c and see
the related call get_fingerprint_hexstring() which supposedly could get
the full fp
Apocalyptic: davout, re "looks like
this can't be verified correctly without either relying on a keyid as an actual key unique identifier OR keeping a synchronized keyring and actually verifying
the signature" I suspect
there actually is, playing with
the source atm
davout: undata: "the wot is an excellent
tool for making good decisions about establishing
those" <<< sure, but i'm not sure why
the notarization *tool* would enforce
that, i defo don't feel strongly enough about it
to argue
the point either way
davout: oh, and it's ppl who have L1/L2
trust from assbot, a subset from
the wot members sez
the spec
undata: the wot is an excellent
tool for making good decisions about establishing
those
undata: davout:
the deeds are presumably for business arrangements
davout: not really sure why it has
to be restricted
to asseteers but w/e
undata: seems like
the parties wishing
to publish should provide coin
to
the deedbot operator
undata: the hash is
the privkey
davout: other
than
that your understanding seems correct
to me
davout: undata: it doesn't burn
the bitcoins
undata: to summarize what's desired,
the bot accepts signed documents from wot members in good standing only, publishes
them by burning a small amount of btc and uploading
to a site?
Apocalyptic: davout, so you're
taking
the deedbot project ?
kakobrekla: punkman ill set up a daily dump
to files.b-a
undata: plugins can be started and stopped independently of
the core
undata: the networking core is one
thing, and plugins communicate with
that over redis
undata: kakobrekla: yes,
that's what I meant
davout: what *is* specified is
that
the bot must verify
that
the signer has L1/L2 assbot
trust, looks like
this can't be verified correctly without either relying on a keyid as an actual key unique identifier OR keeping a synchronized keyring and actually verifying
the signature
kakobrekla: decoupled bot means
that
the connection process is seperate from all others
undata: you'd write
the deed bit as a plugin
davout: yeah, i put fpr or keyid in url, you spit out
the fpr, actually no
that's dumb
kakobrekla: you still need
to check i didnt give you garbage no
assbot: Logged on 30-08-2014 00:59:50; mircea_popescu:
this way you don't have
to keep updated keyrings locally or verify signatures in any wya
Apocalyptic: sounds
to me like a dubious choice but heh, if mp sez so
davout: punkman: mebbe i'm wrong here, lemme
try and find a reference
davout: kakobrekla: i agree, it's bad if you rely on keyids
to actually identify
the key, but if you output
the actual full fingerprints in
the returned json one can make an educated choice
punkman: pretty sure it has
to be verified
undata considers
the silence an affirmative...
davout: Apocalyptic: yeah, i
think mp mentioned somewhere
that verifying
the sig is not necessary
Apocalyptic: davout, wait, so you're going
to publish
the deed without checking
the signature is legit ?
davout: Apocalyptic: "you have
to validate
the sig" <<< no i don't
think so
undata: davout: you're not going
to write it in ruby are you?
punkman: davout,
there is some combination of options
that will do it for sure, you can look in python-gnupg
davout: it's always possible
to query gribble
to get
the mapping, but
that seems... suboptimal
Apocalyptic: davout, yeah but anyway you would have
the key in your keyring since you have
to validate
the sig
kakobrekla: davout you can search keyserver perhps, but starting
the search wherever with keyid instead of fp is not best idea
undata: however
thouse german articles are going
to do me in
davout: if i don't have
the key in my own keyring it doesn't seem possible
to extract
the fingerprint from a signed message
undata: a shantytown cobbled
together with
the leftovers of other cultures
undata: as for english as I delve into a few other languages on duolingo I find my native
tongue ever more horrifying
undata: ben_vulpes: hah oh
the commit
undata: ben_vulpes:
them being
the feminists you pedant
davout: that would work when listing keys, i can't seem
to get it work when piping a clearsigned msg
to "gpg -v -v --fingerprint"
davout: "replace keyid with fp ?" <<< sure, but how do i get
the fpr from a signed message? gpg -v -v will just return
the key id
davout: kakobrekla: "nfi why nano keeps keyid field in his db" <<< if you keep
the fingerprint you're automatically keeping
the key id as far as i understand since
the key id is simply
the second half of
the fpr
davout: thing is, i was also reading mp's deedbot spec,
the part i was wondering about was
the "extract keyid from signed message, and use it in w.b-a.link URL"
davout: yea, i was reading gpg's rfc yesterday and found out
that
they aren't supposed
to be relied upon for unicity
davout: kakobrekla: would it be hard
to make links such as w.b-a.link/trust/7C1FBEC924FBD66531A02AE3F95E4E395927DC9C/291237F37A2C023CADBED52513288EAB01713428/json work with keyids as well as fingerprints?
ben_vulpes: not
that anyone should expect a "developer"
to understand how
to write english well - it's hard and
takes a lot of dedicated study.
ben_vulpes: "pushed by" not "initiated by". furthermore, doesn't make
the usage somehow acceptable.
punkman: ben_vulpes, I
think "their/they" was being used long before
the queers adopted it
ben_vulpes: if you don't know
the gender, say "his or her"
ben_vulpes: a plural cannot by definition be a singular
thing.
Apocalyptic: looks like a valid "singular
they"
to me, "valid" in
the grammatical sense
davout: ben_vulpes: wasn't sure about
that, I assumed a weakness in my own english since no one brought
that up, but it did sound slightly weird,
thanks for clearing it up!
ben_vulpes: nevermind
that
them/their is actually incorrect grammar if not used in reference
to more
than one person