Please include the whole ascii enarmoured key on the security page

[richo]

I had a brief look at just implementing this for a PR, but it looks like your MD templates have yaml in them that gets preprocessed?

Anyway, rather than publishing your fingerprint and relying on keyservers to both be up, work and have your key, it'd be much better to either include your full ascii enarmoured key on the page, or a link to it on another https endpoint on the same domain.

Thanks for having a responsible disclosure policy in the first place.

[steveklabnik]

Yup, it's pretty basic Jekyll, but there's some design considerations involved, so don't feel bad. :)

@kyungmin , basically, fitting the text linked here somewhere would be good: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAE14B43B026A673F

As @richo said, maybe just a link to another page with the raw data would be fine, or maybe some kind of footnote/popup? Thoughts?

[richo]

Welp, except that you shouldn't fetch the key material via http when you go to publish it, if you want to go full tinfoil hat (I always go full tinfoil hat).

That said, it'd be fantastic to cut out an extra point of failure in the process.

[steveklabnik]

Right, I just didn't want to copy/paste the huge block in here.

[mahmoudimus]

@richo wanna take a stab at adding it?

[richo]

I can have a dig at it, but I don't really do frontend stuff, and I have exactly no idea how you want a massive monospace block of ascii enarmoured key material presented on your site.

[mahmoudimus]

@richo should we link to a gist maybe?

[richo]

Oh, I've got the key no stress. The trick is working out where you want it stuck on the page :)

[mahmoudimus]

@richo that's where I default to @dmdj03 and @kyungmin for their expertise.

[kyungmin]

How about something like 'copy to clipboard'?

@dmdj03 any thoughts? @steveklabnik would there be any issue with showing only a small portion of the armored key?

[richo]

Copy to flash still requires flash to interact with the system clipboard right? (Back in tinfoil hat land).

Showing the header with some JS to expand the container would be slick and practical?

[steveklabnik]

would there be any issue with showing only a small portion of the armored key?

That's what the key ID already is: the point of having the armored key is that it's the entire one.

Copy to flash still requires flash to interact with the system clipboard right? (Back in tinfoil hat land).

Yup. I'd favor either expansion or a lightbox/popup.

[kyungmin]

@richo I'm not sure if I fully understand what you mean. How is copy to clipboard is not ideal? My understanding so far is: 1) all options require some JavaScript/interactivity, 2) popups or sliding panels require more clicks (click button, select to copy, close) than copy to clipboard (click button).

[mjallday]

@kyungmin I believe he's saying that copy to clipboard requires flash which is usually implemented by a 3rd party and has a poor history of security.

There does appear to be a library (http://zeroclipboard.org/) that does not require flash, I'm not sure how well it works.

[richo]

@mjallday hit the nail on the head.

Zero clipboard still wants a flash applet running. Unless something drastic has changed since the last time I looked, there's no way to access the clipboard from JS, and no plans to start supporting it (Largely because of how difficult it'd be to stop people from doing nasty things with it, think about marketers keeping track of what's on your clipboard with a tracking snippit).

I agree that the popup/slide out involves more clicks, but (all things going to plan) it should be a fairly rare occurrence that someone actually needs this key, and given the target audience, security researchers, who probably don't have flash installed anyway I don't think the extra work is an issue.

The 3rd issue with the flash/clipboard option is that you still need to provide some way to get at the whole key, because if you actually make it impossible to get the key without flash installed that would be pretty bad.

[kyungmin]

Thanks for elaborating on this! Totally makes sense. In that case, sliding panel seems like a slightly less obtrusive option to me. @dmdj03 what do you think? If you can propose a mockup, I'll make the changes.

[dmdj03]

We discussed doing a slider/expand since it's 1 less click for the user.

1. click to expand
2. select key
3. copy

vs.

1. close modal

[steveklabnik]

Why did this get closed?

[richo]

I think it got automatically closed with the merge of #156, but it still doesn't really address my issue with the full public key not being available from a trusted source.