7100+ entries in 0.025s
Framedragger: alf doesn't have time for much else. but this is just me being restless
Framedragger: asciilifeform: yeah so i'll prolly end up dumping 10M ssh keys on phuctor's ass, via its web interface. i wonder if phuctor can handle parallel requests, to a point :P i won't be an asshole about it.
☟︎ Framedragger: jurov: apologies for not spotting the above, and thank you muchly!
Framedragger: look i just came back from an awesome mountain hike, can't even move my legs, but have just enough energy to re-use someone else's precious hacky code to test the ssh-rsa db entries
Framedragger: jurov: do you have a script which uses PGPy and generates rfc4880 from e,N, then?
Framedragger: jurov: are you around and if so did you end up finding a way to make this work?
Framedragger: are you sure your tool will parse an 'artificial' openpgp key generated from public e,N only?
Framedragger: asciilifeform: re openpgp format: wait a sec, doesn'tt the 'packet' (as they are called there it seems) containing user info have to be signed or sth?
Framedragger: asciilifeform: btw would phuctor (as it currently works) be able to import an otherwise normal openpgp / rfc4880 key either (1) no self-sig or (2) a somehow borked (nulled? haven't looked at rfc4880 data structures yet) self-sig? as i see it lotsa info is actually contained *within* the signed part, in that format..
Framedragger: valfor is some unclaimed garbage collected side effect
Framedragger: mircea_popescu: yeah k, i mean, i may disagree re. dunbar's number being directly applicable here, maybe i'm some l33t package maintainer, but fair enough, won't argue further here
Framedragger: jurov: but probably nvm actually 'cause your tool i expect does not generate things like self-sigs out of nowhere, etc. (need by current instance of phuctor). would still like to take a look if it's around tho!
Framedragger: jurov: i heard you have a converter from tmsr format (e,N,comment) to openpgp, if that's true can you link to it perchance please? would save time / redundancy :)
Framedragger: ^ i'll re-think and converse better next time, bed time
Framedragger: otherwise doesn't scale at all, if 1000 people wanted to trust my subkey. i guess *you* could argue that fuck scale and fuck "lots of people", etc.
Framedragger: one practical consideration re you signing my subkeys: what if you really trusted my main key but then i later decided to move that key to offline storage for security, and derive a subkey - one may argue that gpg provides just this kind of means of streamlining the process - i sign my new subkey or whatever, and there's that, no need for you to meet me in person again. otherwise doesn't scale at all, if 1000 people wanted to trust my su
Framedragger: depends on matter of scale. if you zoom out and look at gpg as a whole then you just want to burn everything to the ground, sure. and if you zoom out further you want to rewrite more and more things. but sometimes it is worthwhile to consider relative differences of worth, too, so to speak.
Framedragger: i suppose that's what i wanted to state originally, yeah. i know it's not a strong case; but it's not utter bullshit, either.
Framedragger: maybe i'm jumping too much. apologies - sleepy; and i get the point.
Framedragger: right, sure. but then you'd agree that all phuctorings (save for one, apparently) are interesting insofar as one is interested in how broken this scheme is?
Framedragger: i agree. but what if there was some trust path from you to hpa's parent key; and there were no paths at all to the diddled child key. surely that's something, even if not enough for you to mark hpa's key (any key) as "trusted"
Framedragger: whether it truly worked well, whether some gpg clients are shit, whether keyservers should preemptively dismiss such keys - all worthy points of discussion, but separate.
Framedragger: let's particularize: hpa's parent key was embedded in the pgp wot (whether the latter is worth anything is a *separate* point) which people trusted. then, hpa's child key appears, and it's not properly signed by hpa's parent key, the latter being trusted prior. maybe the sig is not there, maybe the sig is invalid, whatever. child key gets rejected. this scheme in itself is not circular, and it *worked*.
Framedragger: maybe bad wording: not "self-signature" in this case, but rather one (parent) key signing another (child) key.
Framedragger: i agree that it's a property of relations. a signature establishes a relation
Framedragger: hence self-sigs do provide value here; this is not to say that the notion of "subkey" shouldn't be razed from the earth, eventually.
Framedragger: i.e., the "fake subkey" case *can* be handled correctly.
Framedragger: (and also the tree of comments below, which are not properly visually formatted, in terms of identation)
Framedragger: why does it have to be all abstract and difficult
Framedragger: mircea_popescu: whether signature by $key to which the key in question is a sub of is valid?
Framedragger: 8ball contains exclusively moduli only, right? cool.
Framedragger: btw i'd choose self-sigs over "trust sks keyservers not to include fake subkeys" any time of the year. obvs the point is to disassemble this false dichotomy. but short-term, self-sigs are not useless at all.
Framedragger: yeah i'm not certain how representative that figure is of whatever, honestly. with all metaphor removed, it literally is "the number of ipv4 hosts which respond to a TCP SYN to port 22 with TCP ACK [packet with ACK flag set]". i'm fairly confident that i haven't missed many hosts of this kind, but too should be replicated and tested.
Framedragger: > mircea_popescu: [15:40:33] well, going by Framedragger 's 20mn figure. aha.
Framedragger: yeh i'll be patient and will meanwhile muck around with what i've collected
Framedragger: asciilifeform: do you think it's a sensible idea to try and convert ssh public keys into rfc4880, and then submit them to phuctor (possibly in bulk)? or is that something i should leave to you?
Framedragger still hasn't read schild's ladder. prolly need accompanying graph theory textbook
Framedragger: asciilifeform: gotcha. i have thing which converts ssh pubkey format to e,N,IP. i'll probably have a thing which generates rfc4880 (inserting ip address as comment field, say) from e,N,IP. thanks!
Framedragger: asciilifeform: ah wait lol: i'd be parsing ssh rsa keys, not pgp keys - different format - though also base64 etc. i'll check!
Framedragger: i guess right now i'm more curious to see general statistics / trends, e.g. distribution of ssh server versions per given geo region / AS etc., not that it may be too useful, but just genuinely curious
Framedragger: mircea_popescu: yeah not the worst idea, i too think there may be not much of a market there though, but who knows.. good to know, if i ever come to consider b2b plans more seriously
Framedragger: not a big deal at all tho of course, useful for laters and for future exploitations and analysis infrastructure though
Framedragger: asciilifeform: kk, thanks, a script (or some description) would be useful!
Framedragger: the latter would be quite useful - i may spin up some simple analysis thingie which shows info for those ssh keys, and it'd be nice to be able to link to corresponding phuctor entries
Framedragger: for example say i have some public key available. is there a way for me to derive phuctor's permalink for that key (acknowledging that the permalink may not be active yet, i.e. phuctor does not even know of the pubkey etc) ?
Framedragger: asciilifeform: is there a 'stable' algorithm / spec for deriving phuctor's hash / permalink? you'd mentioned before that it "includes the entire key - names, emails, ~all~ subkeys."
Framedragger: lol, contactless cards. it's such a stupidly bad idea. reminds me of some hack0rz stealing us passport info because us passports used to have (or maybe still have dunno) *active* rfid chips. yes, active
Framedragger: always wanted to experiment more with artificial life a la karl sims virtual creatures but in larger mmorpg world
Framedragger: unrelated, allele set usage in eulora? damn, looks like i *may* have to give that gay game a try
Framedragger: asciilifeform: incidentally how's the backlog of phuctor? i expect it's rather busy as it is..
Framedragger: "And we shall have our pound of flesh, of thy fair flesh, from closest to thy heart." << hah i like casual quotes of mr william