Implement GPG Verification (Bitcoin-OTC)

Question

I'm looking to implement a "Verify with Bitcoin-OTC" feature for my web app. The general idea is the user would prove he owns a particular account on the external site Bitcoin-OTC and my app would accept/deny him based on his rating there.

Here's how I'm thinking of implementing this:

1. User provides Bitcoin-OTC username.
2. My app looks up his GPG fingerprint using this bitcoin-otc gem.
3. My app presents the user with his encrypted one-time password and asks him to decrypt it.
4. User provides decrypted password.
5. My app verifies it with the gpg everify command on Freenode and accepts/denies the user.

The part I'm struggling with is step #5. I'm doing it this way because I'm not sure Bitcoin-OTC exposes an API. I'm not sure how to programmatically communicate with the bot on their IRC channel.

Steps 1-5 are basically how a user would verify himself on the Bitcoin-OTC IRC channel except my app is acting as a middleman.

My questions are:

• How can I achieve step #5?
• Does adding my app into this flow introduce any security risks?

Edit:

I've been doing some research and I've realized I can probably just get the user to sign a message stating he owns the Bitcoin-OTC account in question.

If the message is signed with the fingerprint tied to the Bitcoin-OTC account and the signature is trusted, then can I be sure the user is who he says he is?

Here is my proposed flow in an ad-hoc Ruby script:

require 'bitcoin/otc'

account = Bitcoin::OTC::Account['mhluska']

message = Time.now.to_i.to_s + " I am the owner of username #{account.nick} on Bitcoin-OTC"

puts 'Run the following command to sign a message using your GPG fingerprint #{account.fingerprint}:'
puts "$ echo \"#{message}\" | gpg --clearsign"
puts "Paste it back here and press Ctrl+D"

$/ = "\0"
message = STDIN.gets

response = %x[echo "#{message}" | gpg --verify 2>&1]

if response.include?('Good signature')
  if response.include?('This key is not certified')
    puts 'Good signature but untrusted'
  else
    puts 'Good signature and trusted'
  end
else
  puts 'Bad signature'
end

Answer 1

Rather than going through the whole #bitcoin-otc login procedure on behalf of your users (which, in the case of an existing session, may either be denied or attempt to replace the current session), you could have a bot present in #bitcoin-otc and then either require the ident-verified users to message it with a randomly generated token, or have them request a token from the bot to use on the website. You could decouple the bot from your main backend as well by providing the user with an encoded message that includes the verified response from ident signed by your bot — you would not need to implement any communication between the bot and your main app components since it would just endorse responses from ident. I believe that users would feel more secure with some of these approaches, as there may be some concern about a remote agent performing this auth within a largely security-aware community.

Most languages have established IRC libs, so it should be pretty straightforward once you get familiar with one for your language of choice.

EDIT

If you just want to verify ownership of a GPG-verified account, then just roll your own GPG verification. If you prefer Ruby, you can use https://github.com/ueno/ruby-gpgme to encrypt a signed/timestamped token for the user's public key. You wouldn't have to keep state, just verify that the token provided has a valid signature applied by your server. There may already be an open implementation like this today.