Should PGP keys be made mandatory for high ranks? - page 2.

bones261

legendary

Activity: 1806

Merit: 1827

Quote from: asche on March 02, 2019, 02:19:28 PM

Quote from: Carlton Banks on March 02, 2019, 01:54:45 PM

Using Bitcoin keys is more difficult, you need to get people to use legacy addresses, as there's no message signing standard using segwit addresses. Awkward situation.

And what's the trouble keeping a legacy address?

Also it IS possible to sign a message with a segwit address.

Exactly. Especially since it it is probably advisable to stake an address here that you never intend on using for receiving payments.

asche

legendary

Activity: 1484

Merit: 1489

I forgot more than you will ever know.

Quote from: Carlton Banks on March 02, 2019, 01:54:45 PM

Using Bitcoin keys is more difficult, you need to get people to use legacy addresses, as there's no message signing standard using segwit addresses. Awkward situation.

And what's the trouble keeping a legacy address?

Also it IS possible to sign a message with a segwit address.

Carlton Banks

legendary

Activity: 3430

Merit: 3071

Using Bitcoin keys is more difficult, you need to get people to use legacy addresses, as there's no message signing standard using segwit addresses. Awkward situation.

asche

legendary

Activity: 1484

Merit: 1489

I forgot more than you will ever know.

I don't see the point in using PGP for that specific reason. A specific bitcoin or ethereum addy is perfectly fine for that usage.

Carlton Banks

legendary

Activity: 3430

Merit: 3071

Re: SHA-1 fingerprints

does this matter for the current PGP use-case on Bitcointalk? The fingerprint need not (and AFAIU is not) be used for account recovery.

bones261

legendary

Activity: 1806

Merit: 1827

Quote from: EcuaMobi on March 02, 2019, 10:28:51 AM

Quote from: bones261 on March 02, 2019, 10:17:08 AM

Quote from: EcuaMobi on March 02, 2019, 10:03:05 AM

Yes, it would be very helpful, along with:

Requirement for a signed message with the previous key in order to register a new one

I'm not too sure that I like this idea. I ended up staking a new address because the original was controlled by coinbase. Unfortunately, coinbase disabled the ability to sign a message. I don't think the simple fact of losing a key should put a beloved account at risk of being locked out forever. I know us Bitcoiners are used to it. However, it is actually a security flaw to make access totally unrecoverable if keys are lost.

What happened to you regarding coinbase can't happen with PGP keys. These keys are yours only and can't ever be managed by anybody else, even less so exclusively by someone else. PGP keys should be backed-up and safely kept. If someone loses their PGP keys it would at least be a sign they're not very well at security.

There could be a way to set a new PGP certificate if the last one's keys were lost, but it shouldn't be easy at least. It should require some deep verification.

But this is really secondary compared to first actually having PGP keys registered into the forum, that or another standard that proves to be more secure.

Eventually losing your keys or having them compromised is the way of the universe. However, I guess for the purpose of this forum, there is no need for anyone else to gain access in the event of my death.

Carlton Banks

legendary

Activity: 3430

Merit: 3071

Quote from: hacker1001101001 on March 02, 2019, 10:25:55 AM

this was already suggested by OgNasty to theymos, and theymos thinks PGP keys are insecure and it needs a revision.

Quote from: theymos on February 25, 2019, 06:01:01 PM

Quote from: OgNasty on February 25, 2019, 05:56:21 PM

I’ve long thought there should be a spot for PGP fingerprint.

PGP fingerprints are SHA-1, which is insecure. The OpenPGP standard really needs a complete new revision...

hmmm, that means spoofing fingerprints is fairly trivial. Awkward.

EcuaMobi

legendary

Activity: 1862

Merit: 1469

https://Ecua.Mobi

Quote from: bones261 on March 02, 2019, 10:17:08 AM

Quote from: EcuaMobi on March 02, 2019, 10:03:05 AM

Yes, it would be very helpful, along with:

Requirement for a signed message with the previous key in order to register a new one

I'm not too sure that I like this idea. I ended up staking a new address because the original was controlled by coinbase. Unfortunately, coinbase disabled the ability to sign a message. I don't think the simple fact of losing a key should put a beloved account at risk of being locked out forever. I know us Bitcoiners are used to it. However, it is actually a security flaw to make access totally unrecoverable if keys are lost.

What happened to you regarding coinbase can't happen with PGP keys. These keys are yours only and can't ever be managed by anybody else, even less so exclusively by someone else. PGP keys should be backed-up and safely kept. If someone loses their PGP keys it would at least be a sign they're not very well at security.

There could be a way to set a new PGP certificate if the last one's keys were lost, but it shouldn't be easy at least. It should require some deep verification.

But this is really secondary compared to first actually having PGP keys registered into the forum, that or another standard that proves to be more secure.

hacker1001101001

sr. member

Activity: 1288

Merit: 415

Bitcoin address are one of the main part in the working of the forum. If a person could not verify his BTC address by signing a message means he could not recover his account in case its locked or hacked. It is one of the important criteria to recover a account along with the original email so adding it as an filled on the Bitcointalk profile is a pretty good suggestion.

But this was already suggested by OgNasty to theymos, and theymos thinks PGP keys are insecure and it needs a revision.

Quote from: theymos on February 25, 2019, 06:01:01 PM

Quote from: OgNasty on February 25, 2019, 05:56:21 PM

I’ve long thought there should be a spot for PGP fingerprint.

PGP fingerprints are SHA-1, which is insecure. The OpenPGP standard really needs a complete new revision...

bones261

legendary

Activity: 1806

Merit: 1827

Quote from: EcuaMobi on March 02, 2019, 10:03:05 AM

Yes, it would be very helpful, along with:

Requirement for a signed message with the previous key in order to register a new one

I'm not too sure that I like this idea. I ended up staking a new address because the original was controlled by coinbase. Unfortunately, coinbase disabled the ability to sign a message. I don't think the simple fact of losing a key should put a beloved account at risk of being locked out forever. I know us Bitcoiners are used to it. However, it is actually a security flaw to make access totally unrecoverable if keys are lost.

EcuaMobi

legendary

Activity: 1862

Merit: 1469

https://Ecua.Mobi

Yes, it would be very helpful, along with:

Requirement for a signed message with the previous key in order to register a new one
An option to encrypt any received PM, using the registered public key
An option to automatically verify a message was signed by somebody, using the registered public key

Accounts could still be sold along with the private keys, but this would pretty much make impossible to hack accounts, and would definitely increase security privacy.

Carlton Banks

legendary

Activity: 3430

Merit: 3071

Maybe start out saying Legendaries must register PGP keys within a timeout that starts after their most recent login? Then move that requirement down the ranks slowly.

It seems like PGP usage is sort of encouraged, but then again there is also a field in Profile Settings for MSN and Skype handles Roll Eyes

If PGP is needed to recover accounts, why not actually make it a part of the forum? Given that Bitcoin is really a part of a wider push towards personal cryptography as a whole, I'm slightly surprised we're still at the "post your public key in this thread" stage

Topic: Should PGP keys be made mandatory for high ranks? - page 2. (Read 520 times)