Melvin Carvalho [ARCHIVE] on Nostr: 📅 Original date posted:2013-05-14 📝 Original message:On 14 May 2013 20:41, ...
📅 Original date posted:2013-05-14
📝 Original message:On 14 May 2013 20:41, Peter Todd <pete at petertodd.org> wrote:
> report: https://bitcointalk.org/index.php?topic=205349.0
>
> Every talk will be widely witnessed and videotaped so we can get some
> reasonably good security by simply putting out PGP fingerprints in our
> slides. Yeah, some fancy attacker could change the videos after the
> fact, but the talks themselves will have wide audiences and a lot of
> opportunities for fraud to be discovered. That means it'd also be
> reasonable for people to sign those keys too if you are present and are
> convinced you aren't looking at some impostor. (of course, presenters,
> check that your PGP fingerprints are correct...)
>
>
> Remember that PGP depends on the web-of-trust. No single measure in a
> web-of-trust is needs to be absolutely perfect; it's the sum of the
> verifications that matter. I don't think it matters much if you have,
> say, seen Jeff Garzik's drivers license as much as it matters that you
> have seen him in a public place with dozens of witnesses that would
> recognize him and call out any attempt at fraud.
>
> Secondly remember that many of us are working on software where an
> attacker can steal from huge numbers of users at once if they manage to
> sneak some wallet stealing code in. We need better code signing
> practices, but they don't help without some way of being sure the keys
> signing the code are valid. SSL and certificate authorities have
> advantages, and so does the PGP WoT, so use both.
>
>
> FWIW I take this stuff pretty seriously myself. I generated my key
> securely in the first place, I use a hardware smartcard to store my PGP
> key, and I keep the master signing key - the key with the ability to
> sign other keys - separate from my day-to-day signing subkeys. I also
> PGP sign emails regularly, which means anyone can get a decent idea of
> if they have the right key by looking at bitcoin-development mailing
> list archives and checking the signatures. A truly dedicated attacker
> could probably sign something without my knowledge, but I've certainly
> raised the bar.
>
Just out of curiosity, could PGP keyservers suffer from a similar 51%
attack as the bitcoin network?
>
> --
> 'peter'[:-1]@petertodd.org
> 000000000000016be577c0f0ce4c04a05fdbfc8e0b6f69053659f32aeea3a518
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130514/17d09b72/attachment.html>
📝 Original message:On 14 May 2013 20:41, Peter Todd <pete at petertodd.org> wrote:
> report: https://bitcointalk.org/index.php?topic=205349.0
>
> Every talk will be widely witnessed and videotaped so we can get some
> reasonably good security by simply putting out PGP fingerprints in our
> slides. Yeah, some fancy attacker could change the videos after the
> fact, but the talks themselves will have wide audiences and a lot of
> opportunities for fraud to be discovered. That means it'd also be
> reasonable for people to sign those keys too if you are present and are
> convinced you aren't looking at some impostor. (of course, presenters,
> check that your PGP fingerprints are correct...)
>
>
> Remember that PGP depends on the web-of-trust. No single measure in a
> web-of-trust is needs to be absolutely perfect; it's the sum of the
> verifications that matter. I don't think it matters much if you have,
> say, seen Jeff Garzik's drivers license as much as it matters that you
> have seen him in a public place with dozens of witnesses that would
> recognize him and call out any attempt at fraud.
>
> Secondly remember that many of us are working on software where an
> attacker can steal from huge numbers of users at once if they manage to
> sneak some wallet stealing code in. We need better code signing
> practices, but they don't help without some way of being sure the keys
> signing the code are valid. SSL and certificate authorities have
> advantages, and so does the PGP WoT, so use both.
>
>
> FWIW I take this stuff pretty seriously myself. I generated my key
> securely in the first place, I use a hardware smartcard to store my PGP
> key, and I keep the master signing key - the key with the ability to
> sign other keys - separate from my day-to-day signing subkeys. I also
> PGP sign emails regularly, which means anyone can get a decent idea of
> if they have the right key by looking at bitcoin-development mailing
> list archives and checking the signatures. A truly dedicated attacker
> could probably sign something without my knowledge, but I've certainly
> raised the bar.
>
Just out of curiosity, could PGP keyservers suffer from a similar 51%
attack as the bitcoin network?
>
> --
> 'peter'[:-1]@petertodd.org
> 000000000000016be577c0f0ce4c04a05fdbfc8e0b6f69053659f32aeea3a518
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130514/17d09b72/attachment.html>