[HN Gopher] PGP Signed Tweets ___________________________________________________________________ PGP Signed Tweets Author : edent Score : 34 points Date : 2020-05-14 11:10 UTC (1 days ago) (HTM) web link (shkspr.mobi) (TXT) w3m dump (shkspr.mobi) | zokier wrote: | signify[1] signatures are 64 bytes + 10 byte header, making total | base64 encoded length 100 characters, which would conveniently | have fit to even the old alt text easily | | [1] https://man.openbsd.org/signify | upofadown wrote: | How would you get the public key to verify such a signature? | zokier wrote: | > There are no key servers for signify. No web of trust. Just | keys. The good news is the keys are pretty small. As | demonstrated. We can stick them just about everywhere, and we | do. They're on the web site, they're on twitter, they're on | the top side of CD. 56 base64 characters. You can read it out | loud over the phone in under a minute. Wide dispersion makes | it harder and harder to intercept all the ways you may get | the key and increases the risk of detection should anybody | try some funny business. | | https://www.openbsd.org/papers/bsdcan-signify.html | | but if you really want to have a central public place for | keys, then the recently discussed https://keys.pub should | work, just needs minor format conversion: | https://keys.pub/docs/specs/keys.html | [deleted] | aasasd wrote: | Aren't elliptic-curve signatures pretty short? (Though I may be | blatantly mistaking the applicability of the curves.) | | Also til that somewhere on Twitter, alt-text can be specified. | justinsaccount wrote: | As i understand it you have to be careful with signing short | messages with no metadata or context.. reply to some tweet with | | > this is a great idea | | and sign only that text.. now there's a signature of "this is a | great idea". I believe the signature has the creation time, but | there's nothing to tie it to the message you are replying to. | kbenson wrote: | I guess you could make sure each signed tweet starts with a | YYYY-mm-dd HH::MM::SS (TZ) line by itself. At least then a | reused old message would look weird because the time would be | wrong, and easily visible (but also easily ignored in the | common case, which is probably what is wanted). | schmichael wrote: | At the very end in a parenthetical the author includes: | | > (NB - alt text is really important for visually impaired users. | Please don't needlessly clutter their timeline with garbage.) | | What is the impact on screen readers? Do visually impaired users | have to suffer through 1000 base64 characters being read aloud? | | At the very least it seems like this warning should be at the top | of the article with a disclaimer to only use this method for good | reasons (eg after recovering your Twitter account post-hack or as | a one-time proof of identity). | | Please don't use this and end up discouraging software and | services from properly supporting accessibility features! | prezjordan wrote: | > Do visually impaired users have to suffer through 1000 base64 | characters being read aloud? | | Yeah, but they'll use the keyboard to navigate to the next | paragraph after a few characters - or the next the tweet | entirely. | Steltek wrote: | You're of course correct but I also think you greatly | overestimate the number of people willing to even put up with | PGP, let alone sign their tweets with it. | hashworks wrote: | While I agree with you, detecting garbage text and not reading | it out without explicit request sounds like a feature that | screenreaders should have. | evan_ wrote: | I think a screen reader user would probably just skip to the | next element once they figured out it was gibberish. It might | be nice to add a line before the PGP header explaining what was | going on, though. ___________________________________________________________________ (page generated 2020-05-15 23:00 UTC)