[HN Gopher] PGP Signed Tweets
___________________________________________________________________
PGP Signed Tweets
Author : edent
Score : 34 points
Date : 2020-05-14 11:10 UTC (1 days ago)
(HTM) web link (shkspr.mobi)
(TXT) w3m dump (shkspr.mobi)
| zokier wrote:
| signify[1] signatures are 64 bytes + 10 byte header, making total
| base64 encoded length 100 characters, which would conveniently
| have fit to even the old alt text easily
|
| [1] https://man.openbsd.org/signify
| upofadown wrote:
| How would you get the public key to verify such a signature?
| zokier wrote:
| > There are no key servers for signify. No web of trust. Just
| keys. The good news is the keys are pretty small. As
| demonstrated. We can stick them just about everywhere, and we
| do. They're on the web site, they're on twitter, they're on
| the top side of CD. 56 base64 characters. You can read it out
| loud over the phone in under a minute. Wide dispersion makes
| it harder and harder to intercept all the ways you may get
| the key and increases the risk of detection should anybody
| try some funny business.
|
| https://www.openbsd.org/papers/bsdcan-signify.html
|
| but if you really want to have a central public place for
| keys, then the recently discussed https://keys.pub should
| work, just needs minor format conversion:
| https://keys.pub/docs/specs/keys.html
| [deleted]
| aasasd wrote:
| Aren't elliptic-curve signatures pretty short? (Though I may be
| blatantly mistaking the applicability of the curves.)
|
| Also til that somewhere on Twitter, alt-text can be specified.
| justinsaccount wrote:
| As i understand it you have to be careful with signing short
| messages with no metadata or context.. reply to some tweet with
|
| > this is a great idea
|
| and sign only that text.. now there's a signature of "this is a
| great idea". I believe the signature has the creation time, but
| there's nothing to tie it to the message you are replying to.
| kbenson wrote:
| I guess you could make sure each signed tweet starts with a
| YYYY-mm-dd HH::MM::SS (TZ) line by itself. At least then a
| reused old message would look weird because the time would be
| wrong, and easily visible (but also easily ignored in the
| common case, which is probably what is wanted).
| schmichael wrote:
| At the very end in a parenthetical the author includes:
|
| > (NB - alt text is really important for visually impaired users.
| Please don't needlessly clutter their timeline with garbage.)
|
| What is the impact on screen readers? Do visually impaired users
| have to suffer through 1000 base64 characters being read aloud?
|
| At the very least it seems like this warning should be at the top
| of the article with a disclaimer to only use this method for good
| reasons (eg after recovering your Twitter account post-hack or as
| a one-time proof of identity).
|
| Please don't use this and end up discouraging software and
| services from properly supporting accessibility features!
| prezjordan wrote:
| > Do visually impaired users have to suffer through 1000 base64
| characters being read aloud?
|
| Yeah, but they'll use the keyboard to navigate to the next
| paragraph after a few characters - or the next the tweet
| entirely.
| Steltek wrote:
| You're of course correct but I also think you greatly
| overestimate the number of people willing to even put up with
| PGP, let alone sign their tweets with it.
| hashworks wrote:
| While I agree with you, detecting garbage text and not reading
| it out without explicit request sounds like a feature that
| screenreaders should have.
| evan_ wrote:
| I think a screen reader user would probably just skip to the
| next element once they figured out it was gibberish. It might
| be nice to add a line before the PGP header explaining what was
| going on, though.
___________________________________________________________________
(page generated 2020-05-15 23:00 UTC)